If there is one thing businesses could be doing better with respect to their cyber-security programs, what would it be?

Maria Vullo

Maria Vullo

I asked that question of Maria Vullo, former New York State Department of Financial Services (NYDFS) superintendent, at Compliance Week’s inaugural cyber-security and data privacy event last month.

“I’d say training,” said Vullo, who helmed the agency when it created comprehensive cyber-security regulations. “Businesses need to do more to make sure their employees and business partners know what to do when they see anything suspicious, what not to click into and share, how to protect information, and how to appreciate who has privileged access and why.”

“An important component of a business’s resiliency against cyber-intrusions depends upon employee training, because a large number of such intrusions are due to employees making mistakes,” she added.

Common threats are often caused by human errors, and cyber-training can help businesses avoid those pitfalls, help them develop safer information security habits, and remind them how to report threats to the business’s network.

Impact of the NYDFS regs

Companies must make cyber-security a continuous priority as threats evolve and expand, often more quickly than the technology, regulations, and best practices to counter them.

The NYDFS decided it would not wait for the federal government to act—or for businesses to merely add sound protective measures over their data and networks after being hacked. The cyber-security regulation DFS put into place—with the last component becoming effective in March 2019—provides even businesses not subject to it the ingredients for crafting sounder cyber-security policies and procedures.

The agency, which oversees banks, insurance companies, credit unions, money transmitters, and mortgage bankers and brokers, among others, put forth a draft of its cyber-security regulation in 2017, and it had two public comment periods.

The NYDFS cyber-security regulation, 23 NYCRR 500.01 (colloquially referred to as “Part 500”), has a few key requirements for covered entities—namely, the creation of a detailed cyber-security plan, the designation of a chief information security officer (CISO), the enactment of a comprehensive cyber-security policy, and the maintenance of an ongoing reporting system for cyber-security events.

The regulation also mandates either effective and continuous monitoring (or other systems) to detect changes in information systems that may create or indicate vulnerabilities or annual penetration testing and bi-annual vulnerability assessments.

“We strove to make the regulations not overly prescriptive, so companies could model their approach according to the specific risks they faced, based on their type of business, clients, size, etc.,” Vullo told Compliance Week’s virtual conference attendees. “And we wanted the companies to be able to evolve in their approach as technology evolved.”

This approach made sense, because DFS oversees financial services firms of all sizes, business types, and product offerings, Vullo added. She noted it also makes sense from the end-user perspective, because the companies needing to comply with these new regulations come from different standpoints in terms of resources.

Even the important role of the CISO is somewhat flexible, in that this individual can have another job function in the firm and not use that specific title. But the role is an integral one, Vullo said, “and it’s premised on the notion that there must be accountability for the cyber-security programs operating within businesses.”

Cyber-security enforcement and guidance

On July 21, 2020, DFS filed its first enforcement action under Part 500.

According to the statement of charges, First American Title Insurance Co. failed to remediate a vulnerability on its public-facing Website, thereby exposing millions of documents containing sensitive consumer information—including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images—to unauthorized access.

The NYDFS cited violations of six provisions of the regulation, including the requirement to provide regular cyber-security awareness training for all personnel and the requirement to limit user access privileges and to periodically review such access privileges.

In July 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, imposing more expansive data security and data breach notification requirements on companies. It took effect March 21, 2020.

Among other things, the SHIELD Act requires entities subject to the law to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” By this language, the Act creates an entirely new regulatory regime for a large number of businesses, from global corporations to much smaller ones, that hold or use New Yorkers’ private information.

Vullo said many of the ingredients of the SHIELD Act intentionally mirrored the directives in the NYDFS regs, such that when an entity is in compliance with Part 500, the law deems the entity to likewise be in compliance with the SHIELD Act.

Reminders to businesses

On Oct. 30, 2020, federal banking regulators issued guidance on sound practices for the largest U.S. banking organizations to strengthen their operational resilience, including with respect to cyber-risk management.

And throughout the pandemic, regulatory bodies have issued multiple warnings about cyber-related crimes and examination observations based on the heightened vulnerability of corporate information security in remote workplace environments.

Companies need to address any siloed security tools, processes, and corporate departments that have not done enough to provide holistic protection and keep up with today’s threats. Otherwise, they can find themselves subject to intrusions because they have bypassed simple password best practices and multi-factor authentication methods.

Further, and as Vullo pointed out, training programs help make employees understand how even the simple steps they take every day—and the threats they need to watch out for—can truly make a difference to a business’s cyber-security protection.

A CISO, working with the business’s chief compliance officer, must show upper-level executives and board members the business has a detailed plan for conducting regular assessments of its capabilities and infrastructure, plus a realistic incident response plan the business can follow during an actual incident.