Training Under the New York Cybersecurity Requirements

  • View

  • Download

Embed Size (px)

Text of Training Under the New York Cybersecurity Requirements

  • Cybersecurity Training Under the NYDFS Regulations

  • About the Presenter

    Douglas KellyLead Legal WriterEverFi

  • Agenda Final Regulation


    The Training Requirement

    Best Practices

  • Final Regulation Overview

  • The Regulation

    Cybersecurity Requirements for Financial Services Companies

    New York State Department of Financial Services (DFS)

    Whos Covered

    Any business operating under New Yorks banking, insurance, or financial services laws.

    Affiliate of a New York-based company?

  • Exempt Entities


    Companies with fewer than 10 employees located in New York.

    Fewer than 10 employees responsible for business of the covered entity.

    Made less than five million dollars in gross annual revenue for the past three years from New York business operations.

  • Regulation Overview

    Cybersecurity Program

    Cybersecurity Policies


    Security Measures

    Ex. Risk Assessment


  • Whats In the News

    International Data Corporation (IDC) projected the banking industry spent $8.8 billion in data security (Oct. 12, 2016).

    CNN reports that North Korea hackers targeting banks (Apr. 4, 2017).

    The National Law Review ranks cybersecurity as the #4 issue for banks in 2017 (March 20, 2017).

    Context for the Regulations

  • Poll Question #1

    Have you identified the biggest risk to your companys cybersecurity in 2017?

    a. Yesb. No

  • The Training Requirement

  • Training Mandate - 23 NYCRR 500.14(b), 500.10

    Specialized training to qualified cybersecurity personnel.

    Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Risk Assessment.

    Must train by: March 1, 2018.

  • How to Train - Regular

    Merriam-Webster defines regular as Recurring . . . or functioning at fixed, uniform, or normal intervals.

    Companies shall conduct a periodic Risk Assessment and bi-annual vulnerability assessments [emphasis added]

    Verizons 2016 Data Breach Investigations Report Recommends ongoing training to ingrain situational awareness and


  • How to Train - Cybersecurity Awareness

    FFIEC - cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.


    FFIEC Cybersecurity Awareness

    Cybersecurity Resource Center

  • How to Train - Updated to Reflect Risks

    Risk Assessment

    Insider Negligence

    Employees are your biggest cybersecurity risk--and also, potentially, your biggest asset. Cybersecurity is everybodys job and mistakes by employees, contractors, and vendors using weak passwords, opening attachments from an unfamiliar source, misconfigured settings - lead to the overwhelming majority of successful attacks. National Center for the Middle Market.

  • How to Train - More on Insider Negligence

    Although external threats tend to grab headlines, insider breaches from employees, consultants, and others can do just as muchif not moreharm to an institution. DFS.

    Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution's information and systems. FFIEC IT Examination Handbook.

    76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the loss or theft of company data in the last two years. Insider negligence was more than twice as likely as external attackers to compromise insider accounts. Ponemon Institute.

  • Poll Question #2

    How do you most communicate compliance issues?

    a. Emailb. Policiesc. Meetingsd. Culturally

  • Training Best Practices

  • Training Best Practices

    Start with Context

    Business decision vs. training mandate

    Capgemini Consulting Survey: 21% vs. 74%

  • Training Best Practices

    Mere Policies Dont Work

    Conduct Training

    An adult learner must be willing to learn.

    Narrative case-based learning is highly effective.

    Training must have an immediate, practical application.

  • Training Best Practices - Conduct Training


    Attention vs. Engagement vs. Learning


    Tone at the Top, Values, Legitimacy, Management, Daily Practices

  • THE TAKEAWAYS Cybersecurity is a business


    Training is required, and should be effective.

    Employees are the greatest risk, and greatest asset.

    Its More Than the Regs

  • Questions


  • Thanks!Contact us:

    EverFi1255 Treat Blvd.

    Suite 550Walnut Creek, CA 94597

    Michele ColluDemand Generation Manager 279-2171


View more >