While the cybersecurity industry was knee-deep in vision, rhetoric, and endless cocktail parties at the RSA Conference, the State of New York introduced new cybersecurity regulations for the financial services industry. The DFS regulations (23 NYCRR 500) go into effect next week on March 1, 2017. Here’s a link to a pdf document describing the regulations.
Anyone who has reviewed similar cybersecurity regulations will find requirements in 23 NYCRR 500, so while the regulations are somewhat broader than other similar stipulations, there are obvious common threads. In reviewing the document, however, section 500.10 caught my eye. Here is the text from this section:
Section 500.10 Cybersecurity Personnel and Intelligence.
(a) Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in section 500.04(a) of this Part, each Covered Entity shall:
(1) utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part;
(2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
(3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
(b) A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part. Section 500.11 Third Party Service Provider Security Policy.
This section stood out to me for several reasons:
- Covered entities are mandated to “use qualified cybersecurity personnel…to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified…" This assumes that covered entities can find qualified cybersecurity personnel in the first place. According to ESG research, 45% of organizations report a problematic shortage of cybersecurity skills in 2017. In 2016, ESG research also revealed that 42% of organizations say it is very difficult or difficult to recruit and hire cybersecurity professionals in the first place. This data foretells a climate of increasing competition and salary inflation as Wall Street banks try to woo scarce cybersecurity talent to lower Manhattan.
- Covered entities must also provide ongoing cybersecurity training and verify that key cybersecurity professionals take steps to maintain current knowledge. This may also be a tall order. In 2016, ESG published two research reports in collaboration with the Information Systems Security Association (ISSA) on the state of cybersecurity professional careers. In the first report of the series, 56% of cybersecurity professionals admitted that their current employer does not provide them with the right level of ongoing training to keep up with current risks and threats. The report also exposed the fact that many cybersecurity professionals also admit that they are often too busy (i.e., overworked) and can’t dedicate ample time for training on their own.
Given the pervasive nature of the cybersecurity skills shortage, financial services organizations operating in New York State may struggle to meet these obvious and basic cybersecurity requirements. It is worth noting that they can get around these requirements by transferring risk to “an Affiliate or qualified Third Party Provider.” This points to a growing market opportunity for financial service-savvy managed (and professional) security service providers like AT&T, BT, CSC, IBM, SecureWorks, Symantec, Unisys, and Verizon.