Arraya Insights | September 1, 2017
On Monday August 28th, the 180-day transitional period for compliance with the New York Department of Financial Services Cyber Security Law came to an end. This means that covered entities are now required to be in compliance with elements of the law unless otherwise specified. The date is significant because companies affected by the law have been given time to comply with it and now auditors can begin checking for compliance and levying penalties.
Why the NY DFS Law is Different
In some of my previous blog posts, I’ve talked about security compliance, different regulations, and strategies for compliance. I’ve been through many audits in the past. In the interest of full transparency, it’s been my experience that most cyber security audits are pretty generic. If you’re following basic security hygiene practices, know what you’re talking about, and can make a case as to how your controls meet the auditor’s intent, then the audit typically goes smoothly. There are usually some recommendations and takeaways but nothing earth shattering or business crippling.
Then there’s the state of New York. I’ve gone through audits with this group before when there wasn’t even a defined checklist and it was a week-long event. Unlike most vendor due diligence checklists or existing state guidelines with generic requirements, the NY DFS law calls out specific controls that you must have in place. As of Monday the 28th, the following controls are now legally mandated:
- Established policy across 14 specific security categories like customer privacy, system availability, inventory/device management, data governance, and much more
- Limitations on access privileges
- Qualified cybersecurity personnel and intelligence
- Third party service provider security policy
- An incident response plan
These are mostly non-technical requirements; however those timelines are fast approaching. Companies will soon be required to implement multifactor authentication for remote access, detect cybersecurity events, and encrypt data at rest and in transit and much more. These may sound like simple tasks, but many organizations simply do not have these controls implemented. The more impactful requirement for this law takes effect on February 15, 2018. By this date, companies must submit in writing to the Superintendent a statement “certifying that the Covered Entity is in compliance with the requirements set forth.” In other words, security is no longer IT’s problem. This certification holds the “Senior Officer(s)” responsible for complying with the law. For many organizations, this is a significant deviation from how security is typically perceived and managed.
It’s my opinion this is just the beginning of the emergence of cyber security regulations. I anticipate more states, federal agencies, and regulatory authorities prescribing similarly defined requirements across all industries with specific technical controls. Finance has already adopted multiple security regulations like the NY DFS Law. Healthcare is already on its way toward mandating adoption of the NIST Cyber Security Framework, if it decides to follow guidance from the U.S. Dept of Health and Human Services Healthcare Cyber Security Task Force Report. Given the number and scale of attacks over the last year, it’s impossible to think these concerns from regulators will go away. Most likely they’ll only get more complex and sophisticated.
If you’d like to hear more about the latest in cyber security defense initiatives as well as threats, join me on 9/28 for Identifying, Monitoring, and Analyzing Security Threats, a free, morning-long event packed with sessions dedicated to those very topics. We can also carry on the conversation one-on-one. If you’d rather get something scheduled sooner, visit https://www.arrayasolutions.com/contact-us/ to make that happen.