Hey New York - ready for CyberSOX?

Ready to sign-off on your organization's compliance with cybersecurity regulations?

Got signature? Well if your organization is regulated by New York State’s Department of Financial Services (DFS), your organization will need to comply with a new regulation that goes into effect on March 1, 2017. Unlike other regulations that prescribe, suggest or strongly encourage cybersecurity risk reduction practices, this new regulation has a unique “kicker.” 

The new regulation requires a certification signed by the chairperson of the board of directors or senior officer(s) to be submitted to the DFS to confirm compliance with the new regulation’s requirements. The certification is due annually (with some exceptions) beginning in February 2018.

Many risk managers are used to reporting on their cybersecurity efforts with a handshake, a wink and a promise to do their “personal best.” This will not suffice for those subject to the new regulation. The regulation states that, “each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes.”

Some covered businesses will be challenged in recruiting and maintaining a competent information security officer. The new regulation requires the designation of a “qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” 

This will surely come as a shock to those businesses that have yet to embrace the concept of a professional information security officer by just distributing responsibilities among the technology staff.  Those organizations that do not have an appropriate in-house solution will need to consider an outsourced strategy. Like with other outsource strategies, accountability remains with the business.

A defensible risk assessment will be critical to demonstrating and designing an appropriate compliance strategy. The assessment should be carried out based on written policies. In addition to documenting the risk assessment, the regulation cites the following requirements as dependent on the results of the risk assessment:

  • maintaining a cybersecurity program;
  • cybersecurity policy;
  • penetration testing and vulnerability assessment;
  • audit trail;
  • access privileges;
  • third party service provider security policy;
  • multi factor authentication;
  • encryption of nonpublic information.

The above should not cause concern to the many organizations that employ competent information security professionals and adhere to the various issuances and guidelines that many in the financial services industry already adhere to. Those organizations “who have cut corners” or did the minimum will be in for some surprises. A good example is the use by some organizations of using a canned and often simple questionnaire to complete their assessment. With the strategic role that such an assessment will now take to establish a baseline, a more thoughtful approach using the many referenced tools in CSOonline should be strongly considered.

Seems like SOX deja-vu

Signing or attesting to compliance will be familiar to those working in publicly-traded corporations. Many risk managers in these corporations participate in an annual ritual (known to many as Sarbanes-Oxley or SOX compliance) where critical controls are identified, tested and a lower level manager represents to a higher one that the controls are OK. Each subsequent level of management relies on the signed representation of a lower level so that in case there are control weaknesses that get exploited, they can disavow direct knowledge of the weakness.

There are many grey areas in deciding what constitutes a critical control for SOX. These judgments are continuously evaluated, documented and adjusted to reflect reality. Although control objectives exist and are generally accepted by the financial reporting community, deviations from expectations may be permitted if appropriate compensating controls are identified.

But there are many practices that technology risk professionals can adapt from the nearly 15 years of experience with SOX compliance that can help provide an appropriate framework and supporting documentation to demonstrate compliance with this new regulation. Here are a few suggestions:

  • Assign accountabilities – Although one person will be signing, it takes an entire organization to ensure compliance and effectiveness of designed strategies.
  • Develop and enforce a policy that incorporates the regulatory requirements and develop a written program to implement its provisions. Sounds simple, but too often executives assume that lower-level staff understand these requirements when they may not. 
  • Develop “signature standards” so that there is a common understanding of what signing means – especially if a higher-level executive is going to rely on representations of others. 
  • Clearly define specific processes for identifying potential exceptions ensuring that they receive the necessary attention. This would obviously require an appropriate tone at the top, to ensure that employees should not fear retribution.
  • Use recognized frameworks where possible to benchmark and defend positions. Not only will this enhance your organization’s security posture but you’ll be able to gather information on alternative procedures if needed.

Ready to comment? Head to our Facebook page.

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline