CISO as a Service
What is the New York Cybersecurity Regulation?
Proposed 23 NYCR Part 500 Financial Services Law
The Department of Financial Services, (DFS), has broad authority to take appropriate actions to ensure providers of financial products and services to NY consumers remain solvent, protect consumers, and act reasonably to protect against financial fraud, criminal abuse, and unethical conduct. With Cybercrime on the rise, the DFS proposed new Cybersecurity Requirements for Financial Services Companies, which are designed to ensure safe and sound operations of Financial Providers, and protect New York’s consumers.
Covered entities include but are not limited to, Banks, Lenders, Insurance Companies. To see if your classification of business is affected, click here.
The proposed rule specifically requires what each supervised entity needs to do. This includes the following:
- Establish a Cybersecurity Program
- Maintain written Cybersecurity Policies
- Follow Data Governance and Classification practices
- Annual Penetration Testing
- Quarterly Vulnerability Assessments
- Institution of Log Management
- Implementation of Access Controls based on “Least Privilege”
- Development of an Application Security Practice for internally developed applications
- Annual Risk Assessment
- Employ Cybersecurity professionals to manage your risks
- Launch a Third Party Information Security Policy and Risk Management Program
- Configure Multi-Factor Authentication
- Implement Record Retention Policies and Procedures
- Provide Security Awareness Training
- Institute Data Encryption for data in transit or stored
- Develop and test and security Incident Response Plan
- Report on a bi-annual basis to the company’s board or governing body on risks
- Annually certify your compliance to the DFS
Regulated entities will have 180 days from the effective date of the proposed rule to comply with its requirements, except as otherwise specified. The proposed rule will go into effect on March 1, 2017.
The purpose of the CISO as a Service
Companies that are supervised by New York’s Department of Financial Services, and not specifically excluded from the proposed regulation, must appoint a qualified Chief Information Security Office (CISO), who will be accountable for the overall implementation, effectiveness, and enforcement of the Cybersecurity Program.
The requirements that the Cybersecurity regulation brings, and the increased risks from Cyber-Criminals, make it likely likely that a CISO role will become a permanent role in most businesses. However, small to medium organizations may not have the need for a full-time security resource. This is where SPHERE can help.
SPHERE’s CISO as a Service delivers expertise when and where you need it. Our CISO can provide support and guidance to your Information Technology Department to build a Cybersecurity Program that focuses on ensuring the Confidentiality, Integrity, and Availability of your Information Systems.
Our approach is structured and modular, allowing flexibility to acquire what you need.