Cyber-security policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York’s Department of Financial Services (DFS) has issued the first state level regulations on cyber-security for financial institutions. They became effective March 1, 2017, and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cyber-security policy should be designed to meet the goals to prevent, detect, and remediate a cyber-security event.
While the regulation is obviously geared toward financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cyber-security program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cyber-security breaches or failures; (b) detecting cyber-security events; (b) remediating through responding to identified or detected cyber-security events to mitigate any negative effects, recovering from them, and restoring normal operations and services. An added requirement for cyber-security will be notification of appropriate regulatory authorities. All of this sounds suspiciously like a best practices anti-corruption compliance program and will be quite familiar to any anti-corruption compliance professional.
Yet, this DFS regulation should also be studied as a roadmap for the inevitable cyber-security and InfoSec compliance, which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach or the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.