On June 15, 2021, I was fortunate to have had the chance to sit down with Justin Herring, Executive Deputy Superintendent, Cybersecurity Division, at the New York Department of Financial Services (NYDFS) to discuss cybersecurity. Many will know that the Cybersecurity Rule from the NYDFS is widely acknowledged as a groundbreaking and leading cybersecurity regulation. From technical security requirements, to Board governance, and the yearly certification requirement, the Cybersecurity Rule has had a significant impact since being rolled out in 2017.
Feel free to watch the entire interview with Justin on Linklaters.com using the link below for useful insights from the regulator himself on how companies can manage their cyber risks and disclosures. Below are a few of my key takeaways:
- Do not underestimate the value of reporting. As anyone who has helped prepare a slide deck (or the work behind it) for a board meeting knows, internal reporting requirements at the highest level drive many valuable workstreams such as the identification of useful metrics, implementation of the tooling needed to collect and analyze them, and identification of relevant measures of success. Such monitoring, assessment, and improvement driven by reporting requirements are key drivers for an effective cybersecurity program.
- For entities covered by NYDFS's Cybersecurity Rule, know that there is no such thing as a partial certification. Covered Entities are either compliant, and file an annual certification, or are not, and must memorialize their plans to close any material gaps, but refrain from filing what would be considered an erroneous certification. What do you do if you realize after the fact that you have filed an erroneous certification? Reach out to NYDFS and explain the situation (after consulting with counsel), or risk having the Department find out on its own based on an examination or in connection with an incident notification.
- Stay tuned as NYDFS will soon be releasing a set of controls it recommends for addressing ransomware risk. Ransomware is a recurring problem, but attackers have typically used similar attack strategies against different corporate networks. NYDFS has identified a number of controls that are known to be effective at preventing or mitigating such attacks, and will be releasing guidance on this in the coming weeks or months.