23 NYCRR 500’s Risk Assessment Clause
We have previously discussed new New York Department of Financial Service (DFS) cybersecurity standards, known as 23 NYCRR 500, that came into effect March 1, 2017. This regulation is the first of its kind, calling for financial institutions to implement rigorous cybersecurity requirements. To comply, organizations need to establish cybersecurity programs and policies, designate a qualified CISO, conduct periodic risk assessments, and implement numerous other controls. But before any of that, DFS calls for a risk assessment.
A financial company’s ability to successfully comply with 23 NYCRR 500 is almost solely contingent on a thorough and unbiased risk assessment. Despite being buried half-way down in Section 500.09 of the regulation, the risk assessment is actually the cornerstone of all of the enforcement measures around cybersecurity policy, compliance, certification, and information security implementations. In fact, almost every requirement throughout the DFS regulation is based on the results of that risk assessment. So what’s the board or senior officer in the company to do to set their organization, and themselves, up for success?
Step 1: Define the criteria of your risk assessment
This means tailoring your risk assessment to include evaluations of all the other relevant requirements within the regulation. These targets include, but are not limited to:
- The existence (and components) of a cybersecurity program including its ability to “identify and assess internal and external cybersecurity risks” as well as detect, respond, and recover from cybersecurity events
- An inventory and evaluation of relevant cybersecurity policies at the appropriate leadership level
- Controls, such as multi-factor authentication, encryption standards, and account reviews that are in place to protect your company and customer data
- The ability to perform normal operations in the face of cybersecurity events
- The limitation of access privileges for certain sensitive systems
- Qualified cybersecurity personnel to perform functions within your cybersecurity program
- The existence and quality of policies and procedures that govern third-party providers
- Identification of risk areas to be highlighted in employee awareness training
- The existence and efficacy of a written incident response plan
Step 2: Decide how your organization will conduct its risk assessment
The DFS regulation doesn’t specify whether you must use an external party to conduct your risk assessment or whether you can conduct it yourself. Whichever path you choose, make sure that your assessors are well-versed in the programmatics that they will be evaluating and are free from bias. If it turns out there was an internal conflict of interest, results could be skewed, meaning long-term damage for the company.
Step 3: Conduct the risk assessment
The results of your risk assessment may not be pretty. In fact, the following lists the three most common gaps that may separate your organization from full DFS compliance.
- Outdated Cybersecurity Policy: A security policy is a strategic document that establishes an organization’s information security program and how it fits into larger business objectives. An organization’s security is only as strong as its guiding security policy. Your risk assessment will see if this document is clear, prescriptive, up-to-date, and sets the right tone for security.
- Keep in mind that a senior officer or the board of directors is required to review and approve an organization’s cybersecurity policy. Under the DFS regulation, cybersecurity responsibility ultimately falls onto the C-suite or board of directors to ensure the organization’s cybersecurity policy is complete and accurate.
- No CISO: Organizations must designate a qualified individual to serve as the Chief Information Security Officer (CISO). This individual would have ownership over managing and implementing the cybersecurity requirements outlined in the risk assessment. Additionally, the CISO is required to report in writing to the board on the effectiveness of the cybersecurity programs and policies, as well as perceived cybersecurity risks, at least once annually. Here are a couple things to keep in mind when filling this role:
- A successful CISO must have a particular set of skills, including data science expertise and the ability to communicate effectively. According to Dmitry Kuchynski of Cisco Security Solutions, synthesizing these skillsets is essential: “CISOs must be able to frame the discussion in a strategic way that clearly communicates the potential impact of a data breach on stock price, customer loyalty, customer acquisition, and the brand.”
- You will need to monitor the performance of your CISO in facilitating effective cybersecurity strategies.
- Ineffective Training and Awareness Programs: 23 NYCRR 500 requires organizations implement training and awareness programs that are ongoing, effective, and frequently updated. To stay compliant, consider the following:
- Be proactive. The C-suite must review and update cybersecurity programs and policies on regular basis. Senior executives need to participate in the organization’s cybersecurity programs and policies and make revisions as often as necessary.
- To know where you’re going, know where you’ve been. Monitor and track your workforce’s performance over time. For instance: What percentage of employees participate in cybersecurity awareness training? On average, how long does it take to detect an incident? How many employees are really clicking the links in those spam emails? These are all performance metrics your organization should be tracking to gauge the security awareness and hygiene of your employees.
Step 4: Understand the impacts of the risk assessment results
Once you have a full inventory of your organization’s cybersecurity program strengths and weaknesses, you need to apply this in the context of understanding the Regulation’s implications.
In the event of noncompliance or failure to remedy deficiencies identified in the risk assessment, DFS can hold senior leadership directly liable for poor cybersecurity oversight and risk management. For example, if the board attests to the adequacy of cybersecurity programs and policies that later are found to be deficient, the board and their senior leadership teams can be held accountable.
C-Suite’s Approach to Cybersecurity
In light of the regulation’s requirements, it is important that senior executives understand cyber issues so they can effectively oversee their organization’s cyber risk programs and policies. Taking a passive or ad hoc approach to cybersecurity can lead to serious consequences and potential liability issues. To ensure compliance, corporate leaders must actively engage in cybersecurity policies and procedures to protect valuable customer data and resources.
At CyberVista, we recognize the challenges senior executives face in addressing today’s cybersecurity risk. Our executive programs provide engaging content that will help you learn to manage cyber risk. If you are a senior business leader looking for a greater understanding of how cybersecurity issues impact your organization, start or continue your journey by requesting a private training by our team.