Due to the complexity of the security technology, IT specialists are finding it more difficult to explain senior officers how security strategy works. Ponemon Institute polled IT specialists as part of a study. They found out that 67% of those interviewed agreed that their companies‘ strategy “is too complex to explain to senior executives.” NY rules: a gamechanger.
NY rules might open a new door
The NY State Department of Financial Services issued its “Cybersecurity Requirements for Banks, Insurance Companies, and Other Financial Services Companies”. This is effective since March 2017.
These requirements lay on the table regulations that involve financial institutions proactively engaging in cybersecurity activities. But more importantly, these regulations require that “senior officers” acknowledge that they have checked the relevant documents. In addition that the company complies with the regulations.
In other words, the State of New York is now requiring these senior officers to certify that they are educated in those things. Things that Ponemon Institute found out are beyond the educational reach of senior officers.
NY rules: There could be an easier way out
But there is one important aspect to note. Basically, the regulations define a “senior officer” as “the senior individual or individuals … responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity…”
In other words, this means that anyone at the financial institution who is responsible for cybersecurity can be the senior officer executing the certification. It does not really need to be a board member or an executive officer.
Financial institution must designate a chief information security officer (CISO). This person is very likely the one who will at the end sign off on the certification. The CISO can be from the company or from a third-party service.
The importance of getting these rules right
When a company complies with the regulations of New York State’s cybersecurity requirements, they can provide a stronger claim against lawsuits by shareholders derived from data breach.
Most of the time, these lawsuits point out a poor or nonexistent corporation oversight were a determining factor for the loss of information.
In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our three services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR General Data Privacy regulation ( GDPR guide ) and the introduction of new figures such as the DPO : our platform is 100% GDPR compliant ( GDPR infographic ).