DFS Cyber Regulation: Changing the Rules - An Interview with Bay Dynamics’ Steven Grossman
As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment. In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.
Q: Steven, thank you for making time. The new DFS regulation breaks new ground in several areas including board engagement, accountability at the top and in mandating cybersecurity vulnerability assessments. From your perspective, what do you see as the biggest challenges in implementing the regulation?
The challenges are a tale of two cities. The proposed regulation covers a broad group of institutions. I think that smaller financial institutions will be challenged by most of the requirements, while larger enterprises will struggle with attesting to compliance with yet another regulation that overlaps with many other existing requirements.
While the regulation includes a couple standout requirements such as requiring that written cyber security policies are established and reviewed by companies’ boards of directors at least once a year and the chairman of the board or another senior officer gets annual certification, the biggest challenge will be separating this new regulation from the set of requirements and frameworks that are already out there. Most large financial companies already focus their efforts on adhering to one or more existing regulations including the Payment Card Industry Data Security Standard, the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, the National Institute of Standards and Technology framework and others. The legwork required to adhere to these existing standards, guidelines and frameworks takes on a life of its own with armies of people crunching data and putting together spreadsheets for reporting. They need to collect and present the information multiple times since each regulation comes in different variations. Companies have become so compliance-centric that they are often more focused on “checking the compliance box” than their actual primary responsibility – protecting the company’s valuable assets. For these institutions, this new regulation will just add to the data crunching and spreadsheet mania which will, yet again, distract the IT and security team from keeping their eye on the cyber security ball.
For smaller financial institutions that don’t have the security and technology resources to keep up, the regulation will be a significant burden, though that does not minimize its importance. The financial network is only as good as its weakest link, and as we saw from the SWIFT heist, bad actors will attack less protected entry points to gain entry to lucrative targets. Putting the right policies, procedures and controls for minimizing risk is critical for the system as a whole. For these smaller institutions, the regulation can serve as a driver to escalate the conversation with the board and provide information security the attention and resourcing it deserves. Stakeholders of these companies should not treat it as just a regulatory exercise, but as a mission critical activity that their company depends on (not to be overly dramatic, but it is). There will be an inclination to outsource the effort to managed service providers, which is fine, but it does not absolve them of their responsibility. Responsibility can be outsourced, but accountability cannot be. There is no escaping that the board or senior executive still needs to sign the attestation that the institution they govern is in compliance.
Q: Is the regulation a harbinger of things to come in other sectors?
Many other sectors already have their own set of cybersecurity requirements. Retailers have the Payment Card Industry Data Security Standard, healthcare has HIPPA, to name a few. With the increased centrality of technology, and the increased exposure of data and systems due to mobile computing and the Internet, additional regulation is inevitable. The DFS regulation isn’t so much a harbinger as it is par for the course. I think the real challenge for all industries is to minimize redundancy and go beyond compliance to focus on effectiveness. With the overwhelming regulatory burden, proving and reporting on compliance take on a life of their own, and do not necessarily prove organizations are protected. We have seen many instances where institutions in numerous industries are breached during the same time period they were checking the compliance box. Focusing on effectiveness of controls versus just the existence of controls will move organizations – and the industry as a whole – in the right direction.
Q: Banks and insurers have 180 days to implement the regulation once it becomes law on January 1st. How do you approach and prioritize implementation?
Step one is performing a gap assessment between the stated requirements and an enterprise’s current policies, procedures and security posture. Hopefully, companies are already making cyber \security a top priority so the gap analysis is straight forward and many of the requirements are already fulfilled. Unfortunately, many companies don’t have the right structures in place, and will struggle first with assessing, and then with complying with the policy/procedure and technical aspects of the regulation. For those institutions, the first step is to assign a leader responsible for the domain, a CISO, as required by the regulation. That leader needs to marshal the right internal and third party resources to do an assessment of their coverage of the DFS requirements and their ability to prove and report on compliance. Though I think that most institutions will have many requirements covered, most lack the reporting automation to understand that coverage on a daily basis, and require significant human resources to pull it all together. Metrics and reporting automation supports a continuous compliance model that provides a daily reckoning, so that compliance gaps and security exposures are well understood. It will also highlight gaps in knowledge of a company’s assets, since identifying covered systems and data is a critical first step in the process.