Cybersecurity Training Under the NYDFS Regulations
About the Presenter
Douglas KellyLead Legal WriterEverFi
Agenda● Final Regulation
Overview
● The Training Requirement
● Best Practices
Final Regulation Overview
The Regulation
● Cybersecurity Requirements for Financial Services Companies
● New York State Department of Financial Services (DFS)
● Who’s Covered
○ Any business operating under New York’s banking, insurance, or financial services laws.
○ Affiliate of a New York-based company?
Exempt Entities
● Exemptions
○ Companies with fewer than 10 employees located in New York.
○ Fewer than 10 employees “responsible for business” of the covered entity.
○ Made less than five million dollars in gross annual revenue for the past three years “from New York business operations.”
Regulation Overview
● Cybersecurity Program
● Cybersecurity Policies
● Personnel
● Security Measures
○ Ex. Risk Assessment
● Training
What’s In the News
● International Data Corporation (IDC) projected the banking industry spent $8.8 billion in data security (Oct. 12, 2016).
● CNN reports that North Korea hackers targeting banks (Apr. 4, 2017).
● The National Law Review ranks cybersecurity as the #4 issue for banks in 2017 (March 20, 2017).
Context for the Regulations
Poll Question #1
Have you identified the biggest risk to your company’s cybersecurity in 2017?
a. Yesb. No
The Training Requirement
Training Mandate - 23 NYCRR 500.14(b), 500.10
● Specialized training to qualified “cybersecurity personnel.”
● Provide “regular cybersecurity awareness training for all personnel that is updated to reflect risks” identified by the Risk Assessment.
● Must train by: March 1, 2018.
How to Train - “Regular”
● Merriam-Webster defines regular as “Recurring . . . or functioning at fixed, uniform, or normal intervals.”
● Companies “shall conduct a periodic Risk Assessment…” and “bi-annual vulnerability assessments…” [emphasis added]
● Verizon’s 2016 Data Breach Investigations Report○ Recommends “ongoing training” to ingrain situational awareness and
thoughtfulness.
How to Train - “Cybersecurity Awareness”
● FFIEC - “cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.”
● Resources
○ FFIEC “Cybersecurity Awareness”
○ Cybersecurity Resource Center
How to Train - “Updated to Reflect Risks”
● Risk Assessment
● Insider Negligence
○ “Employees are your biggest cybersecurity risk--and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors – using weak passwords, opening attachments from an unfamiliar source, misconfigured settings - lead to the overwhelming majority of successful attacks.” National Center for the Middle Market.
How to Train - More on Insider Negligence
“Although external threats tend to grab headlines, insider breaches from employees, consultants, and others can do just as much—if not more—harm to an institution.” DFS.
“Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution's information and systems.” FFIEC IT Examination Handbook.
“76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the loss or theft of company data in the last two years. Insider negligence was more than twice as likely as external attackers to compromise insider accounts.” Ponemon Institute.
Poll Question #2
How do you most communicate compliance issues?
a. Emailb. Policiesc. Meetingsd. Culturally
Training Best Practices
Training Best Practices
● Start with Context
○ Business decision vs. training mandate
■ Capgemini Consulting Survey: 21% vs. 74%
Training Best Practices
● Mere Policies Don’t Work
● Conduct Training
● An adult learner must be willing to learn.
● Narrative case-based learning is highly effective.
● Training must have an immediate, practical application.
Training Best Practices - Conduct Training
● Engagement
○ Attention vs. Engagement vs. Learning
● Culture
○ Tone at the Top, Values, Legitimacy, Management, Daily Practices
THE TAKEAWAYS● Cybersecurity is a business
matter.
● Training is required, and should be effective.
● Employees are the greatest risk, and greatest asset.
It’s More Than the Regs
Questions
?
Thanks!Contact us:
EverFi1255 Treat Blvd.
Suite 550Walnut Creek, CA 94597
Michele ColluDemand Generation Manager
[email protected](925) 279-2171