On March 1, 2017, the New York State Department of Financial Services (“DFS”) Cybersecurity Regulations (the “Regulations”) took effect. The Regulations, which are the first of their kind in the nation, require banks, insurance companies, mortgage brokers, lenders, and other institutions regulated by DFS (“Covered Entities”) to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. In order to be compliant with the Regulations, the DFS is requiring a Covered Entity’s cybersecurity program to addresses core cybersecurity functions, and among other things, designate a qualified individual (referred to as a Chief Information Security Officer” or “CISO”) to be responsible for overseeing and implementing the entity’s cybersecurity program and enforcing its cybersecurity policy.
Larger organizations which are subject to the Regulations likely already have a cybersecurity program in place as well as a dedicated CISO; at a minimum, most such organizations are in the process of addressing the Regulations in a significant way with an appropriate allocation of resources. On the other hand, smaller organizations that are not exempt from the Regulations are faced with the prospect of adding an entire layer to their risk management procedures which could have a much greater impact on their bottom line. Fortunately, the Regulations, which went through a series of revisions, were ultimately crafted to be flexible and provide Covered Entities the ability to create a cybersecurity program based upon its own individual risk assessment, as opposed to a set of one-size-fits all approach. That flexibility includes the ability for a Covered Entity to designate a Third-Party Service Provider as its CISO. Thus, an organization which has already retained a vendor to oversee its cybersecurity infrastructure would be able to use that vendor to serve as its “CISO” with relative ease, provided that certain requirements are met.
For example, the Regulations require that a Covered Entity’s CISO (even if it is a Third-Party vendor) issue a report on an annual basis, to the entity’s Board of Directors or a Senior Officer, regarding the organization’s cybersecurity program and material cybersecurity risks. Among other things, the CISO’s report, to the extent applicable, should consider: (1) the confidentiality of nonpublic information and the integrity and security of the organization’s information systems; (2) the organization’s cybersecurity policies and procedures; (3) material cybersecurity risks to the organization; (4) overall effectiveness of the organization’s cybersecurity program; and (5) material cybersecurity events involving the organization during the time period addressed by the report. If an organization which is subject to DFS oversight is already using an outside vendor for its cybersecurity threat detection and oversight, that vendor would be in a good position to augment its services in order to serve as the organization’s CISO. Thus, for those Covered Entities that find the hiring of a CISO to be a cost-prohibitive task, they may be able to leverage their existing relationships in order to satisfy the Regulation’s CISO provision. For those regulated organizations that don’t yet have a cyber security plan in place, they too could allow an outside cybersecurity vendor to serve a dual-purpose.
A final important note is that even if a Third-Party is designated as a Covered Entity’s CISO, the entity still retains the ultimate responsibility for ensuring compliance with the Regulation’s requirements. Accordingly, organizations who choose to go the Third-Party CISO route are required to designate a senior member to be responsible for direction and oversight of the CISO. In the end, there is no doubt that cybersecurity in general, and compliance with regulatory requirements, is a new normal that must be baked into every organization’s risk management processes, and that doing so will require some allocation of resources. Fortunately, the DFS is providing some flexibility, such as the use of an outside CISO, in order to ease the burden on some Covered Entities.