The proposed New York Department of Financial Services Cybersecurity Requirements for Financial Institutions (the “Regulation”) has many different aspects that are designed to bring about overall improvement in cybersecurity programs. One that has yet to be explored is how the Regulation elevates the role of the Chief Information Security Officer (the “CISO”) beyond the traditional role at many financial services companies. The Regulation has detailed requirements for what must be included in a company’s cybersecurity policy and procedures. While most of the requirements are standard for information security policies, a few place responsibilities for areas of business that are necessary for cybersecurity, but go far beyond cybersecurity within organizations.
One of the requirements is for inclusion of data governance and classification. Data must be appropriately classified and governance rules applied for proper cybersecurity. However, data classification includes many topics, such as licensed data, third party confidential information, company confidential information, intellectual property and many others. Data governance ensures that data when correctly classified is used in a manner appropriate to the business need, objectives and in compliance with laws and regulations.
The Regulation also requires business continuity and disaster recovery planning and resources be a part of the cybersecurity policy and procedures. In many companies, the executive responsible for these areas and resources is does not report to the CISO. Business continuity and disaster recovery planning also goes far beyond traditional cybersecurity planning, and yet is critical to cybersecurity effectiveness.