Cybersecurity rules to impact island firms
Bermuda financial-services companies with offices in the US will be need to be prepared for new cybersecurity regulations within the next four months.
The New York Department of Financial Services (DFS) is pushing to establish “regulatory minimums” to protect companies and consumers against cyber threats.
The new rules, known as NYCRR 500, create stricter guidelines around how companies assess and monitor their security effectiveness and that of their third parties.
Stephen Bull, managing director of Bermudian-based Independent Consulting Solutions (ICS) says this has the potential to impact all organisations that are under the DFS, including companies that are headquartered out of state (or internationally) but who have branches in New York.
“Because New York is seen as the epicentre of the finance world, NYCRR 500 may influence and serve as the starting point for other state or national regulations,” he says. “There are multiple facets to this regulation but there are two which will be of great relevance to all Bermuda companies with a US office.”
First, starting in February 2018, chief information security officers (CISOs), or designated officers, must be able to report in writing to the board a summary of their security programme and policies, and a report of their effectiveness in this area.
The cybersecurity programme must include monitoring and testing designed to assess effectiveness. A certificate of compliance must be submitted to the DFS by February 15, 2018 and CISOs need to begin providing annual reports to the board by March 1, 2018.
Second, by September 2019, organisations are also being asked to implement policies and procedures that demonstrate oversight of their third parties' security risk management programmes.
Included in this is “periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices”.
Mr Bull says organisations have known about this regulation since September 2016 and have been developing plans to be in compliance.
As of August 2018, organisations will be required to name CISOs or designated officers to be in charge of their security programmes.
“There is more runway for Bermuda companies to prepare for the third-party risk requirements, but you can be sure this is also on their mind,” Mr Bull said.
ICS has staged several sessions at its offices in Burnaby Street for Bermudian companies, in-conjunction with BitSight Technologies, examining the areas of cyber and vendor risk management.
“The event was very well attended and the feedback has been how relevant and timely it was given the various pressures of reporting upstream all the security initiatives a company needs to take and evidence,” says Mr Bull.
ICS partnered with BitSight Technologies 18 months ago with the aim of leading the Bermuda market in advising and providing solutions in this area.
ICS has several CISO consultants on its bench who can provide the necessary guidance and support around the various regulatory and compliance aspects of data security.
BitSight Technologies also provides board reporting. Its executive reports are comprised of effective, easily-understood metrics to inform the C-suite and directors on the state of security programmes, according to a statement from ICS.
It also offers security ratings for vendor risk management and helps hundreds of organisations assess and verify the controls and practices of third parties, vendors, and business partners on an ongoing basis.
For more information, contact Stephen Bull, managing director, ICS at firstname.lastname@example.org