Thoughtful Regulation for an Unregulable Concern; The Balanced Approach of the New York Cybersecurity Framework

In an effort to bolster state cybersecurity laws and bring focus to cybersecurity practices in the financial industry, the New York State Department of Financial Services (NYSDFS) recently proposed a new, first-in-the-nation, cybersecurity framework. This regulation would require financial institutions that fall under the jurisdiction of the NYSDFS to establish and maintain a cybersecurity program designed to protect consumers and ensure information systems can prevent attacks to the greatest possible extent. Requirements of the regulation involve adopting a written cybersecurity policy, appointing a Chief Information Security Officer (CISO), instituting policies and procedures around information accessible to or held by third-parties, and other items to related to security best practices.

The structure of the proposed framework is a major step in the right direction given the dynamic nature of cyber risk and presents hope that regulators like the New York DFS can balance baseline “table-stakes” requirements with top end flexibility for companies to deploy discretion based on their own sophistication and means. As such this type of framework should serve as a model for other regulatory authorities that are contemplating similar endeavors, and certainly it could be utilized by firms in any industry. Outlined below is my take on three achievable and positive outcomes of this prospective new standard:

  • Clear Ownership of Risk

Akin to having a General Council for legal oversight or having a risk committee for global risk management, the proposed regulation requires the appointment of a qualified CISO whose responsibilities surround the management of the organization’s cybersecurity program and policy, reporting directly to the Board. This requirement codifies cyber as a risk and domain of responsibility that requires somebody being in charge and who, in addition to managing the tactical actions of a firm, serves as the primary interlocutor to the rest of senior management and the Board. In our experience the presence of a CISO is a tell-tale sign that a firm takes cyber risk management seriously, especially relative to firms who task duties to the “IT folks.”

  • Appropriate Balance

Standards and regulations are by nature, static. That simply does not work relative to cybersecurity; technology evolves quickly, attackers are continually increasing their capabilities, and it is impossible to create a standard or regulation that creates impenetrability. Organizations that do put in the effort to meet compliance often cease efforts thereafter, believing that compliance equals security, not realizing that the requirements act as the baseline for security implementations.

Similarly, many regulations are by nature prescriptive and that also can’t work for cyber given all of the unique characteristics that a firm may contend with – the nature of its operations; its existing technology infrastructure, sophistication of its employees and the attractiveness to the bad guys. It’s not unfair that any seasoned CISO or senior security leader would react with skepticism to any prescriptive regulation.

Equally as important as the codification of responsibility via the appointment of a CISO, the new proposed framework got the structure right: it is open-ended and provides flexibility that is much more appropriate for the nature of cyber risk – not limiting industry innovation but encouraging of keeping pace with technological advances. This approach encourages additional preventative measures, requiring firms to apply security measures beyond the bare minimum, in a less prescriptive manner that cannot be easily learned and outmaneuvered by adversaries. Yes, it sets baseline requirements, but our view is that these “table stakes” requirements consist of tried and true cyber hygiene practices that any firm should be doing anyways. Thus the flexible regulation sets a floor but gives firms an appropriate, reasonable and scalable way to continually manage cyber risk.

  • Increased Confidence and Brand Reputation

One of the most damaging effects of a cyber event is the loss of consumer confidence and brand reputation. Consumers must be confident that the organizations are making appropriate security efforts to protect their private information. Cyber risk needs to be understood and dealt with appropriately. Firms that don’t are not only risking the safety of their data, but are risking their reputation.

Should a cybersecurity event happen, certification of compliance for the proposed regulation allows board members, CISO’s, and senior executives to prove that they took their cyber risk management responsibility seriously. In effect, it allows those in positions of responsibility to prove that the risk was managed appropriately, a critical measure especially in an era where post cyber event litigation and directors and officers litigation is surely to increase.

This proposed regulation is proof that the cyber risk community and marketplace is taking a progressive approach towards a duty of care for cyber risk management. To learn more about the new cybersecurity framework, visit the official website of New York state.