Advisen FPN

Advisen Cyber FPN - Wednesday, February 22, 2017

By March 1? Really? How? NY DFS Cybersecurity Regulation Looms


By March 1? Really? How? NY DFS Cybersecurity Regulation Looms

By Bob Barker, Cybernance

Leveraging Other Standards to Meet the March 1 NY DFS Deadline

A recent story from Fitch  pointed out that the March 1 deadline for implementation of the new NYDFS Cybersecurity Regulation represents not only the potential for significant growth of the cyber insurance and D&O markets; it simultaneously creates the potential for significant losses. Fitch also expressed a concern that other state or federal cyber regulations passed after New York’s could create conflicts. “Notably, the National Institute of Standards and Technology, a nonregulatory agency of the Department of Commerce, has several recommendations that differ from the NYDFS plan.”

After creating an automated cyber risk governance control system based upon the NIST Cyber Security Framework (CSF), we believe that companies that implement a rigorous and comprehensive assessment against this de facto standard will accelerate compliance with the NY DFS regulations. In fact, a detailed comparison between the two revealed that a rigorous implementation of CSF addresses all the requirements of the New York regulations.

Before the highly-publicized fraud by Enron and others in the late 20th century, corporations already reported their financial condition to their boards. The widespread fraud unmasked the need for much more rigorous standardized reporting to prevent similar events from occurring.  In 2002, the Sarbanes-Oxley Act mandated change, and the multibillion dollar market in financial control systems is the outcome.

Today’s 21st century cyber analog of financial governance is Cyber Risk Governance (CRG). It emerged in the past two years and is driven by a common understanding that:

  1. cybersecurity is not just a technical problem; it’s a governance problem that needs attention across the entire enterprise;
  2. corporate directors face increasing risk from cyberattacks, including personal liability for breaches; and
  3. data about internal defenses is critical in organizing efforts to combat cyberterrorism and cybercrime.

The new regulations promulgated by the New York Department of Financial Services reflect the growing anxiety nationwide about the potential impact of cyberattacks on our financial infrastructure. The Department of Homeland Security has long realized that “financial institutions, not only banks and other depositories, but also securities dealers, insurers, and investment companies, are collectively a critical infrastructure element for the U.S. economy. They are essential to the minimum operations of the nation.”1

A director of a financial institution has a statutory “duty of care” to oversee mitigation of risk, including cyber risk, and oversight requires access to the right information. An effective approach to cyber risk governance comprises several steps: (1) assessing against standards, (2) identifying and implementing an action plan, (3) monitoring progress toward resilience, and (4) repeat steps 1 through 3. An internal control system for cyber risk governance, analogous to an internal control system for financial governance, can empower directors and management to actively and continually engage in building cyber resilience.

What’s the best way to ensure a rapid, accurate, and cost-effective assessment? NIST’s CSF is widely accepted as the de facto standard for assessing cyber maturity. Most organizations employ expensive and cumbersome methods for measuring compliance with standards for managing cyber risk. Consultants, manual spreadsheet checklists and online surveys lack the substantial advantages afforded through automating cyber risk governance. The table below contrasts three methods currently used to assess and manage cyber risk:

Implementing one of these forms of cyber risk assessment is necessary, but simply capturing cyber status at a single point in time is insufficient to motivate better long-term cyber hygiene. An automated cyber risk governance system continually monitors critical systems and provides ongoing guidance based on national standards. It serves as a platform for shared communication that directs organization-wide collaboration on implementing all the controls required to reduce risk and build cyber resilience into the enterprise.


1 Jackson, William D., “Homeland Security: Banking and Financial Infrastructure Continuity,” Congressional Research Service, Dec. 10, 2004.

About the author: Bob Barker is co-founder/chief strategy officer at Cybernance. Bob develops Cybernance’s corporate strategy through strategic partnerships and marketing initiatives. He is a high tech executive with decades of C-level experience in large companies and startups. He’s recognized for his software industry expertise in partnerships, marketing, and business development that was derived from negotiating and implementing many successful partnerships and acquisitions.