Embracing NY DFS Cybersecurity Requirements as a Catalyst for Enterprise Risk Transformation
As of March 1st, 2017, the landmark cybersecurity requirements from the New York Department of Financial Services (DFS) are officially promulgated (see DFS 23 NYCRR 500). After months of iterative review, feedback, and revision of the requirements, DFS Cybersecurity compliance is now a very real challenge for Security and Compliance teams that fall under the broad domain of DFS regulation.
Organizations that count themselves among the regulated entities of the DFS have a unique opportunity to harness this significant moment in the evolution of cybersecurity regulation, and to leverage the principles of these new requirements to energize transformational enhancements to their cybersecurity and overall enterprise risk management programs.
Having followed the evolution of the DFS cybersecurity requirements since the beginning, it is refreshing to note that the final release provided organizations with broad guidance on specific areas of focus and objectives across cybersecurity domains, while affording each unique organization significant leeway regarding the nature and extent of the controls, policies, procedures, and technologies that they may implement to achieve those objectives. This “risk-based” approach has certainly been welcomed by all of the folks I have been meeting.
For organizations operating in the financial services, banking, and insurance sectors, cybersecurity is not a new concept. Most of these organizations have invested significantly in cybersecurity in recent years, and many already have programmatic cybersecurity mechanisms in place to meet most of the DFS’ requirements.
The unique opportunity for transformation manifests itself for those organizations that leverage the DFS requirements as a catalyst for taking a robust, holistic, and fresh look at enterprise risks and threats, and to leverage the results of this analysis in the development of a revised strategy for cyber risk management, governance, security, and compliance.
Additionally, collaborative efforts to further integrate existing enterprise risk management (ERM) and institutional compliance programs can be a tremendous source of game-changers, to include focus on holistic security, risk, and compliance reporting, monitoring, metrics, dashboarding, automation, and optimization.
Results of this type of initiative will be useful beyond security and compliance stakeholders, including Chief Risk Officers and other functions that have ownership for enterprise risk management objectives and strategies.
As a real-world example, I worked with an organization to incorporate input from various stakeholder functions regarding overall cyber risk management methodology and process prior to the execution of an initial baseline risk assessment. We developed a truly integrated approach, and then we executed the initial cyber risk assessment leveraging the new methodology. This included active participation from Legal, Human Resources, Enterprise Risk, Internal Audit, business unit leadership, and of course Information Security and technology stakeholders.
The tangible benefits were compelling. The joint development effort fostered greater ownership, awareness, and engagement from across the organization in the cyber risk assessment process. The ability to articulate a holistic approach around risk lifecycle management gave stakeholders comfort and confidence in the overall assessment process. Scope was more fine-tuned to include key business risk areas, and results of the assessment were much more impactful. We also developed a pilot dashboard for risk exception reporting, which was a critical first-step toward continuous risk monitoring and better risk reporting across the organization.
Another example comes to mind where the initial scope of the baseline cyber risk assessment was expanded to include a deeper-dive analysis of certain technology environments that had never been evaluated for security vulnerabilities. This included web application security and penetration testing, in addition to broader vulnerability assessment across the organization’s network. The benefits here were that the results of the overall cyber risk assessment included not only programmatic and process-level enhancement observations, but also specific and actionable technical vulnerability information. Altogether, the results of this organization’s cyber risk assessment were very powerful, and enabled the organization to develop and execute an effective plan of action across the environment.
The key point is that DFS compliance shouldn’t be solely focused on the rote aspects of ensuring that each compliance objective is met in a silo. Certainly that is a key part of it, and there will be the need for compliance gap analysis for each of the requirements and the functions within the organization that own each element of compliance. Having said that, by establishing a programmatic and integrated approach to the DFS compliance challenge, and aligning this initiative strategically to the organization’s overall enterprise risk management program and objectives, there is a real opportunity for transformational enhancements and strategic benefits.
The initial phase of the transitional and implementation period for the regulation is currently underway, and regulated entities will have to submit their initial certification of compliance to the DFS by February 15th, 2018.
Now is the time to establish a strategy for DFS compliance, then plan, mobilize, and execute on that strategy. Organizations that embrace this landmark compliance challenge as a welcomed opportunity for cybersecurity transformation are the ones that stand to benefit the most from the investment that they’ll have to make, in addition to achieving a sustainable and effective compliance program.