Cyber-Security Re-Defines Business Structure


bThe New York State Department of Financial Services’ new cyber-security regulations CC 23 NYCRR 500 takes effect on February 15, and financial institutions will need to change how they approach cyber-security.

After decades of outsourcing IT processes and staff, financial institutions will need to bring their information security responsibility back in-house.

Firms that fall under the regulation’s mandate will need to put a cyber-security program in place and name a chief information security officer who will take the ultimate responsibility of meeting the regulation’s requirements.

Josh Barons, Abacus Group

Josh Barons,
Abacus Group

“A lot of firms, however, are looking at the exceptions rather than what the best practices are and what the guidelines in the requirements would be,” said Josh Barons, director of information security at Abacus Group.

Financial firms that employ fewer than 10 people (including contractors), has less than $5,000,000 in annual revenue for the past three years, or have year-end assets of less than $10 million are exempt from a majority of NYSDFS’ cyber-security regulation.

Whether firms must comply with the full regulation or a portion of it, it is only a matter of time before financial regulators in other states write similar rules, said Barons.

“We saw the same sort of thing when Massachusetts worked on its privacy requirements and breach-notification laws,” he added. “Once one state does it, soon there is a flood of other states follow.”

The typical model of placing the responsibility for information security into the IT organization, will not hold up, according to Barons.

“I think it is going to be a lot harder to say that someone who already wears seven hats now has this responsibility too,” he said.

Barons views the responsibility for information security being a c-level position with access to the board, knowledge of the company products, and participates in day-to-day operations.

“It should not be stuck in a closet of a back room,” he said.

Overall, Barons grades the financial services vertical a ‘B’ in its overall preparedness for the new regulation but uses a curve, he admitted.

“You have banks that have a lot of funding, mature cyber-security programs, and full backing from the top down,” said Barons. “Then you have smaller firms where they do not have any of that.”

However, there are resources, such as the US Department of Commerce’s National Institute of Standards and Technology that can help firms implement the necessary best practices with its 800 series publications.

“Most of the regulatory requirements that we have seen over the past several years are based on NIST’s best practices, especially when it comes to Federal and other governmental regulations,” he said.

Related articles

  1. Third-Party Providers Pose Cyber Risk: Sifma

    The two-day UK market wide simulation exercise involved 50 regulated firms and the financial authorities.

  2. Cybersecurity is Top of Mind for FinServ

    Exchange group can integrate crypto and fiat legs into overall analysis and monitoring.

  3. Cybersecurity Still a Work in Progress

    Brokers need to bolster protection against the "account intrusion" threat.

  4. The Crypto Assets and Cyber Unit in the Division of Enforcement will grow to 50 dedicated positions.

  5. Cyber-Criminals Target Wall Street

    Participants included over 1,000 representatives from more than 20 countries.