Plan, people, policies
Under the guidance of Maria Vullo, the New York Department of Financial Services (NYDFS) created and finalized cybersecurity regulations for the banks, insurance companies, money transmitters, credit unions, brokers, and mortgage bankers that they oversee. These companies and institutions run the gamut in size and sophistication of their systems. So, they looked at it individually but reviewed the risk level and factors of each one.
This was done AHEAD of any federal or local laws that were put into place. A forward way of thinking that will likely save many businesses from losing it all should they be afflicted by a breach.
What is interesting about their approach, aside from being done proactively and not reactively, is that the rules are risk-based. This means that they don’t have a straight prescription but made it so that companies weren’t limited to adhering to a strict list of guidelines. They gave some flexibility to how standards were met, and how the businesses were certified.
It Takes a Team
Additionally, the accountability is spread out among any individuals at the C-level, not just a person in the CISO role. Taking it one step further, the CISO title wasn’t required, but the responsibility of the role was there. It was dependent on the size and nature of the institution, but it should be noted that there had to be a person identified to oversee and enforce the policies. This person also had to report to the board.
Training was also put at the forefront, making sure that the regulations were known and understood. They realized that internal employees were the highest risk factor to a breach, and ultimately the most preventable by creating awareness and enforcing education. Additional training also has to be done for the cybersecurity personnel. Vullo said that while the content is was different, it is also ongoing and critical.
SHIELDing Your Business
In July 2019 New York Governor Cuomo signed legislation that aims to put New Yorker’s private data in more protective and safer business environments. The Stop Hacks and Improve Electronic Data Security, or SHIELD law, imposes strong obligations on businesses that handle private data to provide proper notification to the consumers who are affected by a security breach. Additionally, credit reporting agencies must offer identity theft prevention and mitigation services to those who have been affected by a security breach of the agency’s system.
To meet the NYDFS regulations and to be prepared, we recommend that all companies acknowledge the risk factor and upgrade their security measures by aligning themselves with those put in place by a credible agency, like NYDFS. Ideally, you would get ahead of the game as they did.
Do you have a plan to prevent, detect, and respond? Prevention and detection are great first steps, but the likelihood of a breach or attack happening increases daily. An incident response plan is a critical component – you need to know how you’ll respond and recover for your own safety and security, as well as for the survival of your own business.
Following the lead of this progressive thinking, organization is highly recommended. Save time and money by being ahead of the hackers.