As you probably know by now, on February 16, the State of New York’s Department of Financial Services (DFS) finalized its new cybersecurity regulations which take effect on March 1, 2017.
These regulations are somewhat redundant with others in the financial services industry (i.e., FFIEC, GLBA, NIST CSF, OCC, etc.), but tend to go a bit further with several specific prescriptive requirements. For example, the NY State regulations cover nonpublic data (rather than customer data), mandate the presence of a CISO (or third-party equivalent), and require a program for secure data destruction.
At this point, the NY State DFS regulations are the most stringent (civilian) rules in existence. Thus, other countries, industries, and states will have a keen interest in how they roll out, what challenges they present, and how they are modified in the future.
Beyond regulatory bodies however, there are numerous interested parties including cybersecurity professionals, technology vendors, service providers, and others. This begs an obvious question: Which groups and technologies stand to benefit most from NY DFS 23 NYCRR 500? Here’s my initial two cents:
- The NY State regulations demand that covered entities “maintain a cybersecurity program” designed “to protect the Covered Entity's Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts” (500.02). It also calls for the implementation and maintenance of cybersecurity policies approved by corporate boards. Mid-sized financial service vendors looking for solid examples of tried-and-true cybersecurity programs and policies will embrace numerous NIST models like the Cybersecurity framework and the NIST 800 series of publications.
- Cybersecurity professionals. DFS regulations stipulate that covered entities employ a CISO to lead cybersecurity programs. According to the recently-published research report from ESG and the Information Systems Security Association (ISSA), 67% of organizations have a CISO in place today. This indicates that many financial services firms in New York must promote, hire, or outsource this position—a requirement that won’t come cheap. DFS regulations also call for a qualified and appropriate cybersecurity staff as well as ongoing staff training. I blogged about the training challenges the other day, but the recruiting competition will also be intense. According to the ESG/ISSA research, 46% of cybersecurity professionals are actively recruited to consider another job at lease once per week! Looks like stocks and bonds won’t be the only active market on Wall Street.
- Security Operations and Analytics Platform Architecture (SOAPA). NY State regulations pose many requirements for security operations including the publication of a documented incident response plan (500.16), monitoring the activities of authorized users, and maintenance of audit logs. In aggregate, the DFS regulations demand advanced security operations capabilities and more security operations integration, collaboration, and reporting. Addressing these needs will drive a wave of product purchases in areas like User Behavior Analytics (Caspida, E8, Exabeam, etc.), SIEM (AlienVault, IBM, LogRhythm, and Splunk), and other security analytics capabilities across networks, hosts, and threat intelligence. This in turn will accelerate projects to integrate individual security operations tools into a common security operations and analytics platform architecture (SOAPA, here’s a link to a blog I wrote with a definition and description of SOAPA).
- Identity and Access Management (IAM) tools. The new regulations call for the use multi-factor or risk-based authentication “for any individual accessing the Covered Entity's internal networks from an external network (500.12)” and as a means for protecting nonpublic data wherever it lives. This mandate will accelerate projects intended to eliminate and replace user name/password authentication, driving procurement of MFA tools and services. Look for massive deployment of mobile phone-based authentication technologies (CA, Duo, RSA, Symantec, etc.) as well as IAM services (Microsoft, Okta, Ping, etc.).
- Encryption technologies. There’s a little wiggle room here, but in general, NY DFS 23 NYCRR 500 calls for greater use of encryption for data-at-rest and data-in-flight. Vendors like Gemalto, Vormetric (Thales), and SafeNet, as well as network security players like Blue Coat (Symantec), Check Point, Cisco, Fortinet, Juniper, and Palo Alto Networks should benefit. The NY State regulations may also lead to centralization of key and certificate management—something that is long overdue.
Aside from cybersecurity people and technologies, the new rules ought to be boon for lawyers. The DFS regulations are new and so what to do and how to do it is up for some interpretation. This should keep NY-based cybersecurity-savvy attorneys busy for some time.