Breach, Americas, Governance, Risk and Compliance, Channel markets, Vertical markets

New York Department of Financial Services (DFS) Cyber Compliance Nightmare?

Co-author Craig A. Newman
Author Craig A. Newman
Author: Silva Arrindell Simone

New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017.  But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

As we reported in June, Ponemon published a survey addressing the challenges facing financial firms that fall within the scope of the new regulation. More than 50% of the organizations surveyed say their companies will not be able to comply with the regulation in the time frame required. The first wave of requirements under the regulation must be in place by August 28. Other requirements are staggered over a two-year period.

A closer look at the results of the survey indicate that the biggest challenges for institutions required to comply with the regulation are a lack of in-house expertise and the time frame needed for compliance.

An overwhelming majority of survey respondents – 70% – indicated that their companies lack in-house expertise, which reduces the effectiveness of their cybersecurity posture.  Indeed, 25% of respondents said their companies do not have a chief information security officer (CISO) and an additional 25% indicated their CISO is not “fully dedicated” to the job, presumably meaning that the CISO has additional job responsibilities.   Similarly, 51% of respondents said their companies do not have a functioning cybersecurity program or that it is either informal or ad hoc.  Additional in-house challenges to companies’ cybersecurity effectiveness, according to respondents, include the inability to know where high value data assets are located, negligent or careless employees, and an insufficient budget.

As noted, time for compliance is also a significant concern.  Of the 564 individuals surveyed, more than 50% said their companies will not be able to comply with the specific requirements of the 12-month and 18-month transitional periods and 53% of respondents indicated their companies will need an additional 12 months or more to achieve compliance.  But 55% of respondents indicated they are “positive” their companies will be able to comply with the requirement to establish a security policy for third-party services within the two-year timeline.

A majority of the respondents also indicated that it will be difficult to implement the various security requirements.  According to 69% of respondents, it will be difficult to continuously monitor threats or conduct penetration testing, as required by the regulation.  Moreover, 65% indicated anticipated difficulty in limiting user access privileges to nonpublic information and 62% perceive difficulty with encrypting nonpublic information.

The Ponemon DFS survey is available for download. The Patterson Belknap team will continue to monitor the issues institutions face as they implement the new regulation.

Simone M. Silva-Arrindell (associate) and Craig A. Newman (partner) represent Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice