The proposed New York Department of Financial Services Cybersecurity Requirements for Financial Institutions (the “Regulation”) has many different aspects that are designed to bring about overall improvement in cybersecurity programs. One that has yet to be explored is how the Regulation elevates the role of the Chief Information Security Officer (the “CISO”) beyond the traditional role at many financial services companies. The Regulation has detailed requirements for what must be included in a company’s cybersecurity policy and procedures. While most of the requirements are standard for information security policies, a few place responsibilities for areas of business that are necessary for cybersecurity, but go far beyond cybersecurity within organizations.
One of the requirements is for inclusion of data governance and classification. Data must be appropriately classified and governance rules applied for proper cybersecurity. However, data classification includes many topics, such as licensed data, third party confidential information, company confidential information, intellectual property and many others. Data governance ensures that data when correctly classified is used in a manner appropriate to the business need, objectives and in compliance with laws and regulations.
The Regulation also requires business continuity and disaster recovery planning and resources be a part of the cybersecurity policy and procedures. In many companies, the executive responsible for these areas and resources is does not report to the CISO. Business continuity and disaster recovery planning also goes far beyond traditional cybersecurity planning, and yet is critical to cybersecurity effectiveness.
Customer data privacy (although interestingly, not employee data privacy) is also required to be included in the cybersecurity policy. Many companies have a Chief Privacy Officer who has operations, policies and procedures separate from the CISO. The Regulation conflates these areas.
The same applies to physical security and environmental controls, and vendor and third party service provider management. These are operations that are also critical to cybersecurity, and yet, the functions have much broader responsibilities. At some institutions, they are well connected. At others, they are not. The Regulation seems to take the position that cybersecurity risk management in these areas is primary.
Perhaps of farthest reach is the requirement for capacity and performance planning to be included in the cybersecurity plan. These are usually the purview of the Chief Information Officer, to whom the CISO often reports. Appropriate operations of systems is critical to protecting the availability and integrity of IT systems. It is also required for the technical operations of the entire enterprise.
The Regulation not only requires financial institutions to focus more explicitly on the cybersecurity program, it also appears to require the elevation of the CISO in order to appropriately manage a broader set of responsibilities.