New York State cybersecurity rules and the skills shortage

While the cybersecurity industry was knee-deep in vision, rhetoric and endless cocktail parties at the RSA Conference, the State of New York introduced new cybersecurity regulations for the financial services industry. The Department of Financial Services (DFS) rules (23 NYCRR 500) go into effect next week on March 1, 2017.

Anyone who has reviewed similar cybersecurity regulations will find requirements in 23 NYCRR 500 familiar, so while the regulations are somewhat broader than others, there are obvious common threads. In reviewing the document, however, section 500.10 caught my eye. Here is the text from this section:

Section 500.10 Cybersecurity Personnel and Intelligence.

(a) Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in section 500.04(a) of this Part, each Covered Entity shall:

(1) utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part;

(2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and

(3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.

(b) A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part. Section 500.11 Third Party Service Provider Security Policy.

This section stood out to me for several reasons:

• Covered entities are mandated to “use qualified cybersecurity personnel … to managed the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified.” This assumes covered entities can find qualified cybersecurity personnel in the first place. According to ESG research, 45 percent of organizations report a “problematic shortage” of cybersecurity skills in 2017.  In 2016, ESG research also revealed that 42 percent of organizations say it is “very difficult” or “difficult” to recruit and hire cybersecurity professionals in the first place. This data foretells a climate of increasing competition and salary inflation as Wall Street banks try to woo scarce cybersecurity talent to lower Manhattan.
• Covered entities must also provide ongoing cybersecurity training and verify that key cybersecurity professionals take steps to maintain current knowledge. This may also be a tall order. In 2016, ESG published two research reports in collaboration with the Information Systems Security Association (ISSA) on the state of cybersecurity professional careers. In the first report of the series, 56 percent of cybersecurity professionals admitted that their current employer does not provide them with the right level of ongoing training to keep up with current risks and threats. The report also exposed the fact that many cybersecurity professionals admit they are often too busy (i.e. overworked) and can’t dedicate ample time for training on their own.

Given the pervasive nature of the cybersecurity skills shortage, financial services organizations operating in New York State may struggle to meet these obvious and basic cybersecurity requirements. It is worth noting that they can get around these requirements by transferring risk to “an Affiliate or qualified Third Party Provider.” This points to a growing market opportunity for financial service-savvy managed (and professional) security service providers such as AT&T, BT, CSC, IBM, SecureWorks, Symantec, Unisys and Verizon.