The State of New York is the first state in the country to issue a regulation that specifically requires certain cybersecurity policies, procedures, controls and personnel for financial firms. This regulation affects all organizations regulated by the New York State Department of Financial Services (DFS). That includes everyone registered under the Banking Law, Insurance Law or the Financial Services Law. This article will be specifically focused on what Registered Investment Advisors (RIAs) in the State of New York have to do to comply with the law.
This is the second post in the series which covers what large RIAs need to do to comply with the regulations for the initial deadline on August 28, 2017. The first post focused on small RIAs. This post will explore specifically what larger RIAs will need to comply in 2017
While there are many parts of the regulation, only a subset needs to be implemented this year.
1) Exemptions (500.19)
First, who is a “large” RIA? A large RIA is an advisor that has ten or more employees including contractors, with more than $5,000,000 in revenue and $10,000,000 in assets. Many RIAs in New York state meet all three criteria and therefore will need to comply with all of the regulations outlined in this article.
If your organization does not meet all three requirements then check out What small RIAs need to do to comply with NY State DFS regulations to see which regulations apply to your firm.
2) Cybersecurity Program (500.2)
The Cybersecurity Program should be “designed to protect the confidentiality, integrity and availability” of the Information Systems.
The Cybersecurity Program should be based on a Risk Assessment. It needs to identify and assess internal and external cybersecurity risks that may threaten the security of Nonpublic information. The program should utilize defensive infrastructure to protect the information systems and data. It should detect, mitigate and recover from Cybersecurity Events.
The program should include the capability to fulfill regulatory reporting obligations including making all cybersecurity documentation available to DFS.
3) Chief Information Security Officer (CISO) (500.04a)
Organizations need to designate a qualified individual who is responsible for overseeing and implementing the cybersecurity program and enforcing its cybersecurity policy. The individual is the Chief Information Security Officer or CISO. The CISO may be employed by the organization or by a third party service provider such as Fractional CISO.
4) Cybersecurity Personnel & Intelligence (500.10)
This sections of the regulation focuses on the personnel who are overseeing the performance of the cybersecurity function. Your cybersecurity personnel need to be well qualified with expertise in cybersecurity. The regulation outlines that the cybersecurity personnel need updates and training to maintain current knowledge of changing cybersecurity threats and countermeasures.
5) Cybersecurity Policy (500.3)
Every organization needs to implement and maintain a written cybersecurity policy. The policy should cover the following topics:
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery planning and resources
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) vendor and Third Party Service Provider management
(m) risk assessment
(n) incident response
While such a big list looks imposing, formalizing what your organization does in the area (as long as it is reasonable) goes a long way to writing policies. There are third parties that can provide such policies that can be easily modified to form to your organization’s business needs.
6) Access Privileges (500.07)
Organizations need to limit user access to systems that provide nonpublic information. They should review the access privileges periodically. This regulation should be one of the easiest to comply with.
7) Incident Response Plan (500.16)
A written incident response plan designed to respond to and recover from a cybersecurity event is required for all organizations. There are a number of requirements for the plan. It must include the goals of your incident response program, outline the roles and responsibilities of the organization for incident responses and include the internal processes for responding to cybersecurity events. The plan also needs to include rules around information sharing to both internal and external parties. Additionally, it should have provisions for post cybersecurity event activities such as requirements for remediation, documentation for reporting events and evaluation and revision of the incident response plan.
8) Notices to Superintendent (500.17a)
Anytime your organization experiences a cybersecurity event then you need to notify DFS within 72 hours. There are two classifications for a cybersecurity event. The first is anytime you are required to notify a government agency or regulatory body whether it be the SEC, FINRA, New York state or other regulatory agency. The second classification for a cybersecurity event is when there is a reasonable likelihood that the event will materially affect your business. In either case you must notify DFS.
Summary
The recent regulation will likely impact your organization. Outlined above are the key parts of the regulation that larger RIAs will need to implement in 2017. (2018 has another set of requirements, the first of which will come into effect in March 2018.) By preparing now you can be ready for August when the first wave of regulations will be enforceable.
Don’t have the time to sort this all out? Give Fractional CISO a call. We can help you put your Cybersecurity Program in place, act as your Chief Information Security Officer and help you set your policies, procedures and controls in place for meeting the DFS regulations.