BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Challenges For Underrepresented Groups In Tech (And How To Solve Them)
On National Supply Chain Day, ‘Ship Happens’ To Make A Better World
Predictive AI And Slot Machines: Shaping The Future Of Casino Gaming
How Sales Organizations Can Manage Data Entitlements
AI Can ‘Unbias’ Healthcare—But Only If We Work Together To End Data Disparity
What You Can Learn From The Security Industry's Evolution
Edit Story
Innovation

A New Standard Is Emerging In Cybersecurity Regulations

Forbes Technology Council
Kelly White
Former Forbes Councils Member
Forbes Technology Council
COUNCIL POST
Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author.
| Membership (fee-based)
POST WRITTEN BY
Kelly White

In response to worries over data security, New York’s Department of Financial Services (NYDFS) enacted a set of cybersecurity regulations that is quickly becoming the standard for data security in the financial industry. The regulation, officially known as 23 NYCRR 500, went into effect in March 2017. Since then, the NYDFS regulations have grown in popularity and are now popping up in a number of other agency regulations.

The 'Who' And 'What' Of The NYDFS Regulations

The purpose of the NYDFS cybersecurity requirements is to ensure that all entities under the department’s jurisdiction adopt a cybersecurity management program that adheres to a set of minimum requirements as set forth in the regulation. It was agreed that meeting these minimum requirements would provide a baseline level of protection for the various enterprises and consumers affected by the regulation. To comply, a company must do the following:

Designate a chief information security officer (CISO) who needs to report once a year to the board of directors on the integrity of the business’s information security, cybersecurity risks, and current cybersecurity policies and procedures.

Keep records and establish an audit trail.

Develop written guidelines that must include best practices, guidelines and standards for secure development processes, and procedures to ensure in-house applications adhere to your company’s cybersecurity guidelines.

Hire security personnel and train them in your specific cybersecurity policy to ensure they know all about the current and changing cybersecurity landscape.

Mandate the use of multifactor authentication so that it will be required to access certain programs, applications and email.

In addition to the requirements listed above, companies are expected to encrypt nonpublic information, administer cybersecurity training to their entire staff and dispose of data securely.

The Secret Of Its Success? Accountability

Until the release of the NYDFS Cybersecurity Regulation, only the FFIEC Examiner's Handbook was specific in stating minimum information security program requirements. All other regulations provided only general requirements and guidance. In the case of the Federal Trade Commission, it did so to "provide financial institutions with the flexibility to share the information security programs to their particular business" (Federal Trade Commission 16 CFR Part 314 page 5).

The regulators weren’t happy with the results they’d been getting from companies using a principles-based approach, so they’re moving toward a more prescriptive approach -- and the NYDFS regulations are pretty darn prescriptive. In justifying the adoption of the NYDFS regulations, the FTC explained, "While the Commission believes the proposed amendments continue to provide companies with flexibility, they also attempt to provide more detailed guidance as to what an appropriate information security program entails."

NYDFS Showed The Way, But Others Aren’t Far Behind

The NYDFS Cybersecurity Regulation went into effect on March 1, 2017. The National Association of Insurance Commissioners followed in October 2017 with its Insurance Data Security Model. It’s important to note that the insurance model is based largely on the regulations issued by the NYDFS, in some cases word for word. For example, compare the following regulations ("A" is from the insurance model regulation and “B” is from NYDFS):

A) "Include audit trails within the Information Security Program designed to detect and respond to Cybersecurity Events" (Insurance Model Regulation 3.D.3.i).

B) "Include audit trails designed to detect and respond to Cybersecurity Events" (23 NYCRR 500.06.a.2).

But it doesn’t stop there. The insurance model contains 18 sections that match the NYDFS Cybersecurity Regulation verbatim.

The FTC, in its notice for public comment, was more direct in stating its intention to base the updated Safeguard Rule on the NYDFS Cybersecurity Regulation: “These amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500.”

Don’t Wait For The Inevitable -- Act Now

As the NYDFS Cybersecurity Regulation continues to grow in popularity and continues to be adopted in whole or part by other entities, it’s clear that this prescriptive approach is the new norm, and the NYDFS requirements are the new standard. If you’re in finance but haven't been subject to NYDFS, it’s time to get to work. The FTC is bringing them to your door. And the ball is just getting rolling. It’s likely not long until other state or federal regulators adopt them for their industries, as well.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Kelly White
Kelly White