Are you searching for a solution in hiring a CISO after a NY DFS audit or before you are audited?
The Department of Financial Services of the State of New York has published new requirements, including having an appointed CISO for your company.
In 2023, the New York Department of Financial Services (NY DFS) introduced its cybersecurity regulation, 23 NYCRR 500. Its objective is to improve the defenses of financial services companies against hacking attacks. This regulation, effective since March 1, 2017, mandates a strong cybersecurity framework for all financial services companies operating under the NY DFS jurisdiction.
Your CISO should help you build a complex cybersecurity program. To protect consumer data and maintain the integrity of financial systems, you should run regular risk assessments, have an incident response plan, and provide ongoing cybersecurity training for your users. Those are just a few of the more than 20 categories of required cybersecurity controls in your cybersecurity program.
Every year you should report your cybersecurity program plan status to DFS to verify your compliance. The regulation’s scope ensures that large and small financial institutions implement sufficient measures to mitigate cybersecurity risks.
The importance of the regulation is in protecting financial institutions from cyber threats.
The role of a Chief Information Security Officer (CISO):
- The NY DFS requires covered entities to appoint a CISO.
- Organizations must have an effective cybersecurity leadership strategy in place. Only an effective leader can transform an insecure company into a secure one strategically and financially effectively.
Virtual CISO services as a solution to your CISO problem:
Let us introduce you to the concept of a Virtual CISO (vCISO) as an alternative solution for businesses aiming to meet NY DFS requirements efficiently and cost-effectively.
Generally, you would hire someone with experience to run your Informaiton Security Program, handle compliance, security awareness trainings and 21 other categories of security controls all across your IT and business functions.
But the reality is, finding someone experienced and available is really tough. Keeping them from being stolen by the competition is even tougher.
Companies like ours have found a solution to this – a security team which handles the responsibilities of a CISO. We call that a Virtual CISO.
2. NY DFS Cybersecurity Regulation 23 NYCRR 500 Overview
-
History and Context:
- NY DFS introduced the regulation in 2017 to motivate financial companies to become more resilient to cyber-attacks. Not just attacks, but human error – because service downtime and data loss are often caused by human error, not hackers.
- The key objective of NY DFS was to mitigate cybersecurity risks in the financial sector.
-
Key Requirements of the Regulation:
- Appointment of a CISO: The mandate for all covered entities to designate a qualified individual responsible for overseeing and implementing cybersecurity policies.
- Cybersecurity Policy: Development and implementation of a written cybersecurity policy approved by senior management and the CISO. You would often need to create specific policies and procedures, usually around 20-35 documents in total, just to handle cybersecurity.
- Cybersecurity Risk Assessment: Regular risk assessments to identify and mitigate cybersecurity risks.
- Incident Response Plan: Maintenance of an incident response plan that addresses detection, recovery, and notification protocols for cybersecurity events. Besides that plan, you would need the tooling and expertise to handle an incident.
- Annual Certification of Compliance: The CISO must annually report to the board on the entity’s cybersecurity program and material risks.
-
Challenges Faced by Financial Institutions:
- Complex compliance landscape, especially for small- and medium-sized businesses (SMBs).
- Difficulty in hiring full-time CISOs due to cost, skill shortages, and high demand.
3. Role of the CISO Under NY DFS Requirements
-
CISO Responsibilities:
- Develop and oversee the execution of the entity’s cybersecurity program.
- Ensure compliance with NY DFS cybersecurity requirements.
- Conduct regular cybersecurity risk assessments and ensure proper documentation.
- Monitor evolving cyber threats and adapt strategies accordingly.
- Prepare and present annual reports to the board of directors regarding cybersecurity risks and strategies.
-
Importance of a CISO for Compliance:
- The NY DFS emphasizes the need for a CISO, because you cannot achieve results in your cybersecurity controls implementation without leadership and oversight. If you trust this to a technical person without cybersecurity hands-on experience, you’ll get hacked faster than you can imagine. Technical skills and security skills are two very different fields – sort of like the difference between the military and the construction industry.
- Discuss the risks involved in not having a dedicated cybersecurity leader, including potential financial penalties and breaches.
4. Challenges of Appointing a Full-Time CISO
-
High Costs of Hiring a Full-Time CISO:
- Typical CISO salaries in major financial hubs like New York City range from $200,000 to $500,000 annually.
- Additional costs include benefits, training, and retention efforts.
-
Talent Shortages:
- Increasing demand for skilled cybersecurity professionals makes it difficult for smaller institutions to hire qualified CISOs.
- Time-consuming hiring processes can delay compliance efforts.
-
Complexity in Ensuring Continuous Coverage:
- Companies must ensure constant cybersecurity oversight, including during vacations, resignations, or transitions, which can lead to gaps in coverage.
5. Introduction to the Virtual CISO (vCISO) Model
-
What is a Virtual CISO (vCISO)?
- The role of a vCISO is a third-party expert or firm that provides CISO-level services on an outsourced basis. It’s not always cheaper per month, but usually ends up being much cheaper in the long run, when you calculate headhunting agencies costs and the cost of hiring and firing multiple full-time roles at that high cost bracket.
- Overview of the services offered by vCISOs, such as risk management, incident response planning, compliance auditing, and reporting.
-
vCISO vs. In-House CISO:
- Comparison of a vCISO’s flexible service model with the traditional in-house CISO.
- Highlight the scalability and customization of vCISO services, which allows businesses to pay for only what they need.
6. How a vCISO Can Help Meet NY DFS Requirements
-
Cost-Effective Compliance:
- A vCISO provides cost savings for smaller institutions that cannot afford or hire a full-time CISO. Sometimes it is not about the money – finding the right person can take 6 to 12 months of active searching and interviews. What happens with your cybersecurity posture during this time?
- vCISO services are generally more affordable, with flexible pricing models (e.g., hourly, monthly retainers). You only pay for what you use – and you avoid paying for someone browsing the internet half the time or their coffee breaks.
-
Expertise and Specialization:
- vCISOs bring years of experience in managing cybersecurity for various industries, ensuring compliance with NY DFS.
- Many vCISOs have deep knowledge of industry-specific regulations and best practices.
-
Risk Assessment and Cybersecurity Program Development:
- A vCISO can handle regular risk assessments as required by 23 NYCRR 500 and assist in designing cybersecurity programs tailored to the organization’s risk profile.
-
Incident Response and Reporting:
- vCISOs can draft and implement incident response plans to ensure compliance with NY DFS’s event reporting rules.
- Regular reporting to the board of directors and maintaining a compliance-first approach are part of the service offering.
7. Additional Benefits of Using a Virtual CISO
- 24/7 Security Oversight:
- vCISOs can provide continuous monitoring and threat detection without the need for in-house staff working around the clock.
- Scalability:
- As companies grow, a vCISO can scale their services up or down, providing more resources when needed, without the need for permanent expansion.
- Flexibility and Customization:
- vCISO services are customizable based on the organization’s current needs, ensuring businesses don’t overpay for unused services.
- Instant Access to a Network of Experts:
- Many vCISO firms have teams of cybersecurity professionals, offering broader expertise than a single in-house CISO.
8. Case Studies or Examples of Successful vCISO Implementation
- Case study 1: Mid-Sized Financial Institution:
- One of our clients (still a client after they signed up with us in 2020, over 4 years ago) has around 2200 employees and a large and complex IT infrastructure. With over 16 member companies in their financial group, it was a challenge to find someone capable of handling that complexity and workload. We provided them with a vCISO to meet NY DFS requirements cost-effectively.
- Case study 2: Small FinTech Startup in Dubai:
- We worked with a small fintech startup in Dubai. They were creating (and are still running) a payment processing system for B2B clients. Together, we achieved compliance with NY DFS by leveraging vCISO services for risk assessments and incident response planning.
What’s next?
We Encourage you to consider vCISO services as a strategic solution for achieving compliance with NY DFS and other regulatory frameworks. At least have a call with us and see if we can help?