Cybersecurity Training Under the NYDFS Regulations

About the Presenter

Douglas KellyLead Legal WriterEverFi

Agenda● Final Regulation

Overview

● The Training Requirement

● Best Practices

Final Regulation Overview

The Regulation

● Cybersecurity Requirements for Financial Services Companies

● New York State Department of Financial Services (DFS)

● Who’s Covered

○ Any business operating under New York’s banking, insurance, or financial services laws.

○ Affiliate of a New York-based company?

Exempt Entities

● Exemptions

○ Companies with fewer than 10 employees located in New York.

○ Fewer than 10 employees “responsible for business” of the covered entity.

○ Made less than five million dollars in gross annual revenue for the past three years “from New York business operations.”

Regulation Overview

● Cybersecurity Program

● Cybersecurity Policies

● Personnel

● Security Measures

○ Ex. Risk Assessment

● Training

What’s In the News

● International Data Corporation (IDC) projected the banking industry spent $8.8 billion in data security (Oct. 12, 2016).

● CNN reports that North Korea hackers targeting banks (Apr. 4, 2017).

● The National Law Review ranks cybersecurity as the #4 issue for banks in 2017 (March 20, 2017).

Context for the Regulations

Poll Question #1

Have you identified the biggest risk to your company’s cybersecurity in 2017?

a. Yesb. No

The Training Requirement

Training Mandate - 23 NYCRR 500.14(b), 500.10

● Specialized training to qualified “cybersecurity personnel.”

● Provide “regular cybersecurity awareness training for all personnel that is updated to reflect risks” identified by the Risk Assessment.

● Must train by: March 1, 2018.

How to Train - “Regular”

● Merriam-Webster defines regular as “Recurring . . . or functioning at fixed, uniform, or normal intervals.”

● Companies “shall conduct a periodic Risk Assessment…” and “bi-annual vulnerability assessments…” [emphasis added]

● Verizon’s 2016 Data Breach Investigations Report○ Recommends “ongoing training” to ingrain situational awareness and

thoughtfulness.

How to Train - “Cybersecurity Awareness”

● FFIEC - “cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.”

● Resources

○ FFIEC “Cybersecurity Awareness”

○ Cybersecurity Resource Center

How to Train - “Updated to Reflect Risks”

● Risk Assessment

● Insider Negligence

○ “Employees are your biggest cybersecurity risk--and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors – using weak passwords, opening attachments from an unfamiliar source, misconfigured settings - lead to the overwhelming majority of successful attacks.” National Center for the Middle Market.

How to Train - More on Insider Negligence

“Although external threats tend to grab headlines, insider breaches from employees, consultants, and others can do just as much—if not more—harm to an institution.” DFS.

“Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution's information and systems.” FFIEC IT Examination Handbook.

“76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the loss or theft of company data in the last two years. Insider negligence was more than twice as likely as external attackers to compromise insider accounts.” Ponemon Institute.

Poll Question #2

How do you most communicate compliance issues?

a. Emailb. Policiesc. Meetingsd. Culturally

Training Best Practices

Training Best Practices

● Start with Context

○ Business decision vs. training mandate

■ Capgemini Consulting Survey: 21% vs. 74%

Training Best Practices

● Mere Policies Don’t Work

● Conduct Training

● An adult learner must be willing to learn.

● Narrative case-based learning is highly effective.

● Training must have an immediate, practical application.

Training Best Practices - Conduct Training

● Engagement

○ Attention vs. Engagement vs. Learning

● Culture

○ Tone at the Top, Values, Legitimacy, Management, Daily Practices

THE TAKEAWAYS● Cybersecurity is a business

matter.

● Training is required, and should be effective.

● Employees are the greatest risk, and greatest asset.

It’s More Than the Regs

Questions

?

Thanks!Contact us:

EverFi1255 Treat Blvd.

Suite 550Walnut Creek, CA 94597

Michele ColluDemand Generation Manager

mcollu@everfi.com(925) 279-2171