In this edition of Netskope Field Insights we turn to Brandon Conley, VP of Sales at Netskope to offer insights on another regulation impacting the financial services industry - The New York State Department of Financial Services (NYDFS) regulations, which can be found here, originally released on March 1, 2017. The purpose of the regulation is to require organizations to establish and maintain a “risk-based, holistic, and robust security program” designed to protect consumers’ private data.
What’s your perspective on the regulation’s impact on consumers’ data and the financial institutions affected?
New Yorkers need to know that their financial institutions are securely handling and establishing necessary controls that ensure the security of their sensitive personal information. For financial institutions, these rules provide a yardstick to demonstrate that they are managing their cyber risks and reduces their chances of being hit with regulatory sanctions. Many financial organizations already have an existing cybersecurity program, or at least the right building blocks, to address many of the requirements. The unique opportunity for all organizations is to use the requirements as a catalyst for taking a holistic look at enterprise risk and threats, then develop a revised strategy for cyber risk management, security, and compliance.
Which market verticals does the legislation apply to?
All New York financial entities regulated by the NYDFS must comply with the legislation. You can visit the NYDFS website to check if you fall under its supervision.
Will this catch on in other states, and what are the implications associated with such a trend?
New York is a financial center, so it takes the lead. This could be a model that other states replicate. Many states have cybersecurity regulations, but none that apply solely to the financial sector.
Where should a company start?
There are a lot of new requirements to digest. First, a covered entity should appoint a CISO or use a third-party to fill the role. Then, it’s required that an initial risk assessment is conducted to identify breaches in security followed by the adoption of corresponding policies and procedures and the implementation of security tools to bridge any gaps. All of this would need to be assisted by staff education or training. Third-party vendor security will also need to be addressed.
The key to complying with the cyber rules is the implementation of a cybersecurity program that can adapt to changing security concerns and can be refined when new risks are identified.
To achieve NYDFS cloud compliance, I recommend that financial organizations implement a cloud access security broker (CASB) such as Netskope to both mitigate risk and ensure compliance with all aspects of the regulation including data governance and classification, customer privacy, and other areas. We put together the checklist below to help you understand what the regulations cover, and what protections you should consider to meet cloud compliance requirements.