NYDFS cybersecurity regulation and the urgent need for training

As financial services organizations come to terms with the complex and demanding requirements of the new NYDFS cybersecurity regulation, it is becoming clear that there is an urgent need to recruit and train specialist information security staff.
With the shortage and high salary expectations of experienced professionals in the East Coast area, most firms will be looking to ‘upskill’ by training their existing team. While much has been made of the requirement to appoint a chief information security officer, there is an assumption that the person in this key role will already know how to plan and implement the required cybersecurity program (section 500.2) and cybersecurity policy (section 500.3). These activities may also fall on the shoulders of existing information security or compliance managers, but, either way, there is an absolute requirement for a dedicated NYDFS cybersecurity regulation project manager or lead implementer.

What does the NYDFS cybersecurity lead implementer need to know?

The fundamental requirement of the Regulation is to establish an effective cybersecurity program that is informed by the results of initial and continued risk assessment. This enables the selection of relevant controls that mitigate the cyber risks faced by the organization. The NYDFS cybersecurity lead implementer  must work with other senior managers to plan, implement and monitor an information security management system that includes the people, processes, and technology required to ensure compliance and the security of the business.

Knowledge and experience of risk management (analysis and treatment) are essential. This involves identifying critical assets, assessing the threats and their impacts, and selecting appropriate measures to reduce the potential impact on these assets.

Consistent with section 500.03 of the Regulation, the lead implementer also needs to understand the following:

  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery
  • Systems and network security
  • Systems and application development
  • Physical security
  • Customer data privacy
  • Vendor and third-party management
  • Incident response

You will have noted that this is a long list and that it reflects the demanding, multi-skilled role of information security manager/director. It is also a very good reason for the scarcity of, and cost of hiring, such experienced IT professionals.

In addition to management training, the need for staff training and skills is also defined in the Regulation itself. Section 500.10 states that every organization must “provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” And section 500.14 states that all covered entities must “provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”

How to ensure your staff are trained

The first priority for any organization is to ensure that their NYDFS cybersecurity lead implementer has the qualifications, knowledge and skills to deliver an effective cybersecurity program. In delivering the program, it naturally follows that the rest of the staff will be adequately trained as outlined above. This ‘top-down’ approach may sound obvious, but unless the lead implementer and their team are extremely competent, it is very unlikely that compliance with the Regulation will be achieved within the very tight deadlines defined.

Senior information security professionals who hold qualifications such as CISSP, CISM, and/or CRISC will make good candidates for an NYDFS cybersecurity CISO or indeed lead implementer. These qualifications focus on information security management and are underpinned by their requirement to have at least five years of relevant working experience. More technical qualifications awarded by Microsoft, Cisco, and CompTIA are also highly desirable, particularly for positions in smaller firms that may not have a large team responsible for security and compliance.

Implementing an information security management system that complies with the ISO 27001 standard will ensure your organization fully meets the New York Cybersecurity Requirements for Financial Services Companies. To train your key managers, I recommend that they attend our unique New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation and Lead Implementer training courses.