Potential US Cyber Security Regulations

The New York Department of Financial Services [NYCRR 500] is pushing to establish “regulatory minimums” to protect companies and consumers against cyber threats.

Among other requirements, they are creating stricter guidelines around how companies assess and monitor their security effectiveness and that of their third parties.

Stephen Bull, Managing Director of Bermuda-based Independent Consulting Solutions [ICS] says this has the potential to impact all organizations that are under the DFS, including companies that are headquartered out of state [or internationally] but who have branches in New York.

“Because New York is seen as the epicenter of the finance world, NYCRR 500 may influence and serve as the starting point for other state or national regulations,” he says.

“There are multiple facets to this regulation but there are two which will be of great relevance to all Bermuda companies with a US office.”

A spokesperson said, “Beginning in February 2018, Chief Information Security Officers [CISOs], [or designated officers] must be able to report in writing to the Board a summary of their security program and policies, and a report of their effectiveness in this area.

“The cybersecurity program must include monitoring and testing designed to assess the effectiveness of the program. A certificate of compliance must be submitted to the DFS by February 15, 2018 and CISOs need to begin providing annual reports to the board by March 1, 2018.

“By September 2019, organizations are also being asked to implement policies and procedures that demonstrate oversight of their third parties’ security risk management programs. Included in this is the requirement, “periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.”

“Mr Bull says organizations have known about this regulation since September 2016 and have been developing plans to be in compliance. As of August 2018, organizations were required to name CISOs or designated officers to be in charge of their security programs.

“As such, affected organizations should be well on their journeys towards being able to submit their certificate of compliance in February 2018.

“There is more runway for Bermuda companies to prepare for the third party risk requirements, but you can be sure this is also on their mind,” says Mr Bull.

“ICS recently held a number of sessions at its offices in Burnaby Street for Bermuda companies, in-conjunction with BitSight Technologies, examining the areas of cyber and vendor risk management.”

“The event was very well attended and the feedback has been how relevant and timely it was given the various pressures of reporting upstream all the security initiatives a company needs to take and evidence,” says Mr Bull.

“ICS partnered with BitSight Technologies 18 months ago and has been securing its position in the Bermuda market as a leader in advising and providing solutions in this area. Indeed, ICS has a number of CISO consultants on its bench who can provide the necessary guidance and support around the various regulatory and compliance aspects of data security.

“BitSight Technologies also provides Board reporting whereby its Executive Reports are comprised of effective, easily-understood metrics to inform the C-Suite and Boards of Directors on the state of their security programs. It also offers Security Ratings for Vendor Risk Management and currently helps hundreds of organizations assess and verify the controls and practices of third parties, vendors, and business partners on an ongoing basis.

“For more information on how ICS can assist with CISO and vendor risk management solutions, contact Stephen Bull, Managing Director at sbull@icsbermuda.com.”

#BermudaBusiness #CyberSecurity

Category: All, Business, technology