This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.
Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York's Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.
While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.
Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”
There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.
For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.
If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.
All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.