NY-DFS adjust its cyber regulation

The public hearing held on Monday December 19th seems to have generated serious waves. According to Reuters, NYDFS regulation on cybersecurity is being postponed to March 1st 2017.
The new version of NYDFS was supposed to be a first regulation explicitly calling financial institutions to follow specific rules in order to increase the cyber resilience of the institutions. The 50 pages’ documents were completing the frameworks already available such as the well-known NIST CSF or the FFIEC CAT. The last one introduced a model of balance between inherent risk and mandatory maturity.
NYDFS did not introduce new concepts unknown by the industry with the proposed regulation. But making these concepts mandatory requirements for Financial Institutions would have changes the narrative.
While the additional delay allows financial institutions to get ready, it will also allow the coming regulation and laws to have a chance to be aligned. In addition, the new White House would certainly play a significant role, in the coming month, with an update of the Cybersecurity National Action Plan.

Cyber-compliance does not imply cyber-resilience

Financial institutions are fearing having to manage additional frameworks or mandatory layers increasing the cost of being cyber-compliant while not addressing the objective of being cyber-resilient. The now classical tryptic is hunting the CISO and board of directors.
Institution are looking forward for a regulation taking into consideration their profile. We are leaving a theoretical model and back talking about building cyber-strategy improving the mitigation of the real risk of the company.
Even with 3 additional months, the pressure remains on institutions to improve the cybersecurity resilience. Public news and real incidents are emphasizing the urgency. The NYDFS delay will therefore allow to refine the strategy on both private and public sides.

Comments

Popular posts from this blog

You're gonna mine Bitcoin without knowing it

RPA adoption will be performed by constraints outside the major firms