This is our third post in a six-part series breaking down proposed amendments to the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation. Today we focus on the changing role of your Chief Information Security Officer (“CISO”).
Ever since the original draft of the NYDFS Regulation, NYDFS has focused on the CISO as the primary implementer and enforcer of the cybersecurity program. NYDFS has been concerned that CISO’s do not have the visibility or authority within covered entities to adequately influence spending decisions and business trade-offs that come from increasing the protections on nonpublic information and company information systems. The NYDFS concerns are well met. In many covered entities, the individuals responsible for information security are not among the most senior executives. Many report, often indirectly, to the Chief Information Officer, Chief Technology Officer or Chief Risk Officer.
New responsibilities for CISOs. To remedy this, NYDFS is making clear, in Section 500.4(a), that the CISO must have “adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.” (Emphasis added).
In support of the “authority” concept, Section 500.4(c) adds that “[t]he CISO shall also timely report to the senior governing body regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events.” (Emphasis added). This must be reviewed in connection with new responsibilities of the “senior governing body,” which is the Board of Directors at most companies. Look for a separate post from us spelling out those responsibilities.
Taken together, NYDFS is forcing companies to restructure their oversight, and funding, of the cybersecurity program. If the CISO is not a member of senior management; does not have budget authority (and an adequate budget); and is not regularly reporting to the Board concerning the cybersecurity program — there is a risk NYDFS will find the entire program non-compliant. As we saw in the EyeMed case, failures to comply, even if unintentional and in good faith, may nonetheless invalidate a company’s entire cybersecurity program and any cybersecurity program certifications.
Companies should tailor their compliance documentation to more clearly demonstrate how they comply with each item. This documentation should be designed to satisfy regulators. This requires significant work and an appropriate compliance documentation structure.