Twelve questions every board should ask.
Cybersecurity regulations are intensifying.
A new proposed cybersecurity regulation promulgated by New York's Department of Financial Services (DFS), which generally applies to financial institutions that do business in New York and is expected to go into effect on March 1, 2017, is groundbreaking in several respects.
Under the proposed regulation, which is mandatory and not just guidance, organizations have to implement and maintain a comprehensive written Cybersecurity Policy, as defined in the regulation, "approved by a Senior Officer or the institution's board of directors (or an appropriate committee thereof) or equivalent governing body."
The proposed regulation also requires each institution to designate a qualified individual, likely a chief information security officer (CISO), responsible for overseeing and implementing the cybersecurity program and enforcing the Cybersecurity Policy. The CISO is required to provide a comprehensive written report, at least annually, to the Board of Directors, covering the entity's cybersecurity program and material cybersecurity risks.
The regulation also requires the establishment of a Cybersecurity Program designed to protect the confidentiality, integrity and availability of the institution’s Information Systems and Nonpublic Information.
Even though the pending proposal scaled back certain requirements contained in DFS' original proposal, the new version is still quite comprehensive in scope, mandating the implementation of a Cybersecurity Policy, generally covering 14 areas*, including everything from records management to third-party security. But perhaps the most extraordinary aspect of the new regulation is that it places responsibility for cybersecurity squarely on the board of directors and senior management, effectively requiring boards to engage in active, engaged and informed oversight of the entity's overall cybersecurity.
Finally, one of the most noteworthy parts of the proposed regulation is the requirement for a written certification of compliance, signed by the Chairperson of the Board of Directors or a Senior Officer(s), and certifying that:
"The Board of Directors ... has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; To the best of [their] knowledge, the Cybersecurity Program of… complies with [the regulation]."
If the organization is not yet in compliance with the entire regulation, it must identify in the certification all areas of noncompliance as well as the planned or current remedial efforts to rectify the situation.
The following are 12 areas of inquiry that every director should consider when addressing cybersecurity issues.
1. What does the regulation require? Directors should ensure that they have a full understanding of every requirement contained in the proposed regulation. Without that understanding, it will be impossible for the directors to know whether or not the entity is in compliance.
2. Has the entity established a Cybersecurity Program that complies with the criteria set forth in the regulation? Directors should ensure their entity's Cybersecurity Program identifies internal and external risks, protects Information Systems and Nonpublic Information, and that the entity can detect, respond to, and recover from Cybersecurity Events.
3. Has the entity conducted an appropriate Risk Assessment on which its Cybersecurity Policy is based? Was the assessment sufficiently comprehensive, and how often will additional assessments be conducted?
4. Does the Cybersecurity Policy address all 14 areas outlined in the proposed regulation, and if not, why not?
5. Has the entity met the regulatory requirements for penetration testing, vulnerability assessment, maintenance of audit trails, limitations on access privileges, and the standards concerning application security?
6. In addition to retaining a CISO, has the entity utilized qualified cybersecurity personnel to manage the entity's cybersecurity risks?
7. Has the entity identified all third-party service providers with access to the entity's Information Systems or Nonpublic Information? What steps is the entity taking to ensure that each third-party service provider maintains adequate minimum cybersecurity practices?
8. Is the entity using multi-factor authorization or risk-based authentication for individuals accessing Nonpublic Information or the entity's Information Systems? If not, why not?
9. How is the entity protecting Nonpublic Information at rest and in transit? Is encryption being used, and if not, why not?
10. How is the entity monitoring the activities of authorized users? Can the entity detect unauthorized access to Nonpublic Information by authorized users? Has the entity instituted cybersecurity awareness training that reflects the risks identified in the Risk Assessment?
11. Has the entity developed a written incident response plan that tracks the requirements of the regulation?
12. Has the entity developed policies and procedures for the periodic and secure disposal of any Nonpublic Information that is no longer necessary for legitimate business purposes or business operations? If not, why not, and how is such information being stored and protected?
The proposed DFS regulation makes clear that cybersecurity is, without doubt, a board issue. The outlined questions are offered merely as a starting point for directors to use when considering their entity's cybersecurity posture and its compliance with the DFS regulation. Directors are urged to drill down on each of these areas, ensuring that they have a full understanding of the entity's cybersecurity risk profile and the reasons behind the steps being taken, and not taken, to protect its Information Systems and Nonpublic information. Active, engaged, and informed oversight by the board on a continual basis will be crucial to protect the entity and its board members from cybersecurity threats and liabilities, and to ensure compliance with the final regulation.
Judy Selby is a Managing Director in BDO Consulting’s Technology Advisory Services practice, having more than 20 years of experience in insurance and technology. Recognized as “one of the premier voices in legal technology” by Legaltech News, she consults with clients on cyber insurance, cybersecurity, information governance, data privacy and complex insurance matters. She advises clients on best practices for handling information throughout its life cycle, from creation or collection through disposition. She can be reached at firstname.lastname@example.org.
Amy Rojik has spent 11 years with BDO directing, developing and delivering learning initiatives for all levels of professionals within the Assurance practice. She helped establish and currently directs the firm’s external Corporate Governance and Financial Reporting Center, which is designed for financial executives and those charged with governance of both public and private companies. She can be reached at email@example.com.