Following our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017. A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.
Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”. Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers. Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.
Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”. Sponsored by Fasoo, this survey gave great insight into the readiness of financial services organizations to comply with the new regulations. One key statistic from the survey that picked up on Jennifer’s discussion on third party liability is that only about half the organizations think they can meet the two-year transitional period to implement a third-party services provider security policy. One member of the audience mentioned that they may have to switch some service providers who can’t meet the requirements. The discussion also talked about fourth-party service providers, since you as a covered entity can’t know who your service providers use for their business. This gets complicated very quickly.
Dr. Ponemon’s keynote was followed by a panel discussion moderated by Kevin Cox from Brite Computers on meeting governance and security aspects of the regulation. The panel included Dr. Ponemon, Jennifer Beckage, Dave Hansen from Freed Maxick, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo. Based on a number of questions from the audience, the panel had a lively discussion on incident response. A key item is to engage your legal and insurance providers immediately if you suspect a negative cyber event. How you characterize an event and your response to it is not only a technical and process issue, but a legal one too. An event is not considered an incident until an attorney says so.
One key discussion was on data retention and protection. Since the regulation talks about encrypting and limiting access to all nonpublic data, one way to minimize risk is to delete information that is no longer needed by the business. If you don’t have it, you don’t need to protect it. This not only helps with general security hygiene, but also helps satisfy other regulations, since eliminating unneeded information reduces a company’s general liability. As in the earlier discussions, this lends itself to protection and revoking access to nonpublic information you share with your service providers.
Fasoo wants to thank all the Buffalo NYDFS 23 NYCRR 500 roadshow sponsors for all their support. It was a great event and everyone said that got a lot of great information that will help them as they strive toward meeting the first deadline of August 28, 2017.