On March 1, 2017 the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies went into effect. Annually (beginning February 15, 2018) either the chairperson of the Board of Directors or a senior officer will be required to sign a statement that they have reviewed all applicable documents about their firm (including vendors) that are necessary to certify that the covered entity complied with the rules during the prior year.
The rationale for the new requirements is to bring better and more uniform technological standards to the financial industry, where highly sensitive data changes hands regularly. While national authorities, such as the SEC, are still articulating their stance, the NYDFS has found itself in a unique position to bring change to the industry since New York is one of the world’s largest banking and financial centres.
What follows is a short description of the new rules and what the implications are for those who do any sort of business in New York.
Who is impacted?
The requirements impact a large number of businesses directly supervised by the NYDFS, including their third party service providers and vendors. Whether or not the business headquarters is in New York State, the requirements will apply to the NY entities of the firm (e.g. NY branches of foreign banks). Some NY entities are exempt from parts of the requirements and other NY entities that are subject to other New York regulations may be exempt from the requirements entirely. The requirements will not apply to national banks and federal branches of foreign banks, but will apply to New York-licensed branches of foreign banks.
Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and Chief Risk Officers (CROs) in particular are the main c-level personnel to pay close attention to the requirements. The CISO should not be reporting to the CIOs, but instead at least to the CROs. Most CIOs may feel that they lose control over the security management within the firm and this is true. From a logistical and independence point of view from the NY regulators, the reporting of the CISO to the CRO is a much better risk based alignment to ensure accountability of the CIO who tends to have more of the tasks to execute to become and remain compliant.
Implications for non-US banks with offices in NY
Many foreign banks in NY are very concerned regarding the requirements. It will require an adjustment in the organisational philosophy whereby although there may be a CISO globally that does not sit in NY, the US regulators are expecting that someone wear that hat in NY to be accountable for the NY operations and also sign off on the Certificate of Compliance. Alternatively, covered entities may seek to fill this void by using firms that offer a “virtual CISO” or “CISO as a Service” option. This option is beneficial and cost-effective, saving smaller firms from spending salary dollars for this role while gaining immediate cyber security expertise.
Covered entities already should be aware that the NYDFS superintendent has the authority to take remedial action against any covered entity not complying with the requirements. If little to no action has been taken to comply, covered entities, especially foreign banks in NY, should take action sooner rather than later and/or seek third party assistance.
Richard Hudson is Vice President of Cyber Security and Data Protection Services at Cordium