Last year, regulators in New York decided to take cybersecurity matters for financial institutions into their own hands, releasing a set of rules (which went into effect in March), requiring banks and other FIs to establish a stricter cybersecurity program. This includes reporting all kinds of data breaches, ransomware, or phishing attacks, which could potentially harm consumer data.
The new regulations also require companies to report to the New York State Department of Financial Services (DFS) at least annually, certifying that cybersecurity procedures are in place and are operating appropriately. The first reporting deadline is Feb. 15, 2018.
Here’s the tricky part: this certification has to be signed by the company’s board members. Why is this tricky?
Turns out, more than 60% of board executives from various FIs, surveyed by compliance solutions provider Diligent, said they are not required to pass any cybersecurity training whatsoever. About half of 381 respondents said they undergo a cybersecurity training course just once a year.
Given the rapidly-changing nature of various scams and cyber attacks, an annual training course doesn’t provide nearly enough information to allow board members to confidently sign off on the required certification, Dottie Schindlinger, VP and governance technology evangelist at Diligent, told Bank Innovation.
“The hope and the expectation is that most financial institutions already have a solid cybersecurity program in place, but the place where we found a bit of a gap is when looking at top level executives,” she said. “Even though top directors and board members have access to the most classified information, we found that a lot of them don’t pass a basic cybersecurity training [course], and are not familiar with basic security measures, even in daily communication.”
In many cases, those directors rely on “the IT team to have everything in place,” she added, and they themselves don’t receive any form of oversight in terms of sharing or storing sensitive data. With the new regulations in place, this practice could have severe (although yet unclear) consequences.
“Obviously, directors serve on many boards, and it’s difficult to have them all trained for each company, but that said, more than 90% of directors that we asked said they were using personal email for company correspondence,” Schindlinger said. “To avoid this, companies should establish a simple training module, just a walk through, for directors on how to recognize phishing attacks, various scams, and hacks, and how to store data securely.”
The company’s CFO should also have a reporting accountability on the board table at “every board meeting,” just to keep the directors in the loop on big and small cyber attacks. “In addition, those senior officials should also have access to, and be informed of, secure communication tools, of which there are many available,” she added.
Financial services is a top target for global cyber attacks, according to NTT Security, which is why Schindlinger expects the scope of the new regulation to expand rapidly. “DFS is already holding companies liable for their vendors, which means the regulation expands beyond New York, but there is certainly more to come,” she said.