In a few short days, the rubber meets the road for those financial organizations that fall under the New York State Department of Financial Services’ cybersecurity regulation.
By September 4, each covered entity will need to have commenced annual reporting by the firm's chief information security officer regarding the company's cybersecurity program to the board; established controls for access to nonpublic information; implemented cybersecurity training for employees based on the firm's risk assessment, and encrypt nonpublic data while in transit and at rest.
Every previous deadline in the rollout of CC23 NYCRR 500 has been relatively simple compared to the coming deadline, Mark Sangster, vice president and Industry Security Strategist at eSentire, told Markets Media.
"Appointing a chief information security officer (CISO), having written policies and procedures, and running risk assessments is not particularly mature security," he said. "It's table stakes: You have to have that kind of stuff.
The regulation’s encryption requirement brings a new set of challenges for financial organizations.
Encrypting data while it is in motion is the easy part with the virtual private networks and the rise in popularity of software-defined perimeters, according to Sangster.
However, encrypting it while it is at rest could impede specific business-critical systems that cannot take encrypted information from one source, ingest it, and pass it into the system.
Encrypting data also will make monitoring transactions difficult for compliance departments.
“The good news about encryption is that everyone is blind to it,” said Sangster. “The bad news about encryption its that watchers who are trying to protect it also cannot see what it is. That introduces a conundrum."
He noted that compliance organizations would need to be able to decrypt when necessary, which would affect a firm's security policy.
When it comes to time to file a cybersecurity incident with the DFS, some firms generally are taking a kitchen-sink approach and providing every log and piece of information regarding a security event and claim full disclosure. Others aim to provide the bare minimum amount of information while the definition of what materially affects their business remains somewhat loose.
Until the DFS identifies what needs and does not need to be encrypted as well as defining how firms should monitor, detect and respond to events, firms should do their due diligence regarding how they plan to protect themselves and report incidents and be consistent in their practices, according to Sangster.
"They are looking for a consistent approach from the company," he said. "When they don't see a consistent approach from a company, that is when they nail them to the wall with the penalties."
Overall, Sangster gives the industry good marks on its preparedness.
"This one is going to be the time where we are going to see the great quarterbacks and the good quarterbacks now since last year was pre-season and now it is the regular season," he said. "We will see what measures, technologies, and services that they deploy."