Los 5 principales riesgos de terceros para los bufetes de abogados y qué hacer al respecto

Peter Schumacher: Welcome and thank you for joining our webinar today. Peter Schumacher: Third-party cyber security protections and compliance with NYDFS in New York Shield. Peter Schumacher: My name is Peter Schumacher, your webinar host. Peter Schumacher: I’ve got a couple of housekeeping items to cover before we get started. Peter Schumacher: Uh so first of all, this is a Reminder that all attendee lines are muted and that’s in an effort to keep this session interactive. Peter Schumacher: However, uh we invite you to submit your questions using the live uh Zoom console. Peter Schumacher: Time permitting. Peter Schumacher: At the end of this hour, we’re going to host a live Q&A. Peter Schumacher: Uh so today’s webinar is being recorded. Peter Schumacher: In the next day or so, you’ll receive a follow-up email with that a link to that recording. Peter Schumacher: Without further ado, let’s kick things off. Peter Schumacher: So, We’re very lucky today to be joined by a special guest speaker, Maria Vuulo. Peter Schumacher: I think you’ll agree that if you’re going to do a webinar on New York cyber security regulation, you can’t find much more of a qualified expert than someone that actually wrote much of it. Peter Schumacher: Um, in addition to authoring NYDFS Part 500, Maria is the former superintendent of the New York Department of Financial Services. Peter Schumacher: Uh, she has since moved on is currently the CEO of VUO Advisory Services. Peter Schumacher: And I know you didn’t joined to hear my take on D NYDFS. Peter Schumacher: So, let’s hear directly from Maria. Peter Schumacher: At this point, I’d like to turn things over and thank you for for joining us today, Maria. Maria Vuulo: Well, that’s great. Maria Vuulo: And thank you, Peter, and good day to everyone. Maria Vuulo: Um, it’s my privilege to um present uh today. Maria Vuulo: And as Peter mentioned, I will go through this uh presentation through the PowerPoint uh and then we are planning to leave some time at the end uh for questions. Maria Vuulo: Uh so, the agenda for today is that is really to just get through the background and goals of cyber security and to go over key provisions of the New York DFS cyber security regulation part 500 to pay particular attention to thirdparty vendor management and then some other laws practical guidance and questions. Maria Vuulo: So the goals of cyber security regulation which was something that I thought you know very seriously about as um a regulator for three years in New York State. Maria Vuulo: The goals are to create minimum standards in order to strengthen controls to protect both business and consumer information. Maria Vuulo: There’s a lot of consumer privacy issues, but when you’re dealing with financial services companies, you also want to protect business information. Maria Vuulo: You want to address vendor management risk because vendors who have access to business and consumer information create risk to the entity. Maria Vuulo: You want to maintain business continuity because we all recognize that cyber security uh is a is a significant risk that has an impact on potential business continuity and you want to mitigate financial, legal, operational and reputational risk from potential cyber breaches. Maria Vuulo: So there we we all know of examples of Equifax, Capital One, other uh significant uh breaches that have caused uh those companies to have legal risk. Maria Vuulo: financial risk in penalties and other costs, operational and of course reputational risk uh to the marketplace. Maria Vuulo: Uh so the final uh New York DFS regulation I issued and it became effective on March 1 of 2017. Maria Vuulo: Uh it provided for transitional periods of compliance. Maria Vuulo: Uh there were different uh levels of requirements. Maria Vuulo: The initial ones were having to have a cyber security program and policy. Maria Vuulo: Then we brought in after a year the requirements of risk assessment, penetration testing and then audit trail uh encryption and those types of requirements. Maria Vuulo: The most recent requirement that went into effect uh which had a two-year transition period was for thirdparty service provider security policy requirements. Maria Vuulo: And this is actually a very key provision of the New York DFS cyber regulation. Maria Vuulo: It actually was pretty groundbreaking for us to impose requirements on banks and insurance companies that they ensure cyber security compliance by their third party vendors. Maria Vuulo: And the two-year transition period reflected the importance of this provision, but also the importance of having transition uh for this provision so that the appropriate uh controls and due diligence could be put into place by the regulated entity. Maria Vuulo: Um so basically um this requirement requires every covered entity to conduct due diligence of its third party vendors to ensure that the vendor has adequate policies, procedures and controls to address cyber security and that’s both their existing vendors. Maria Vuulo: So there’s a requirement to go back and look at that and also any new vendors and have an appropriate documented process for onboarding. Maria Vuulo: ing new vendors. Maria Vuulo: It includes risk assessment of those vendors and ensuring that those vendors have policies and programs. Maria Vuulo: And the most important requirement is that the regulated financial institution, so the DFS regulated entity is responsible for the protection of business and customer data and information systems that are accessed by third-party vendors. Maria Vuulo: So the importance of the requirements and of course the regulated institution has that responsibility to ensure that cannot absolve itself of responsibility for cyber security protections by having third-party vendors um utilize or perform certain services for the entity. Maria Vuulo: So the key principles of the regulation in general is that it established a governance framework. Maria Vuulo: It’s really important to have processes and procedures in a governance framework going up to the board of directors. Maria Vuulo: It requires a riskbased approach to cyber security. Maria Vuulo: Every business has different risks that it within a within a company there are different business units that have different risks for cyber security depending upon their business depending upon the information systems that they have. Maria Vuulo: So the regulation is a riskbased approach. Maria Vuulo: Uh it does impose and requires minimum standards for a cyber security program and again the responsibility on the institution for third party vendors. Maria Vuulo: The regulation also imposes ongoing obligations. Maria Vuulo: This is not a one time obligation. Maria Vuulo: It’s an ongoing obligation and also that is further reinforced by the annual certifications uh that the regulation imposes. Maria Vuulo: And of course, new New York DFS uh the superintendent which was my prior role has very expansive uh enforcement powers to ensure compliance with laws and regulations. Maria Vuulo: So, who is required to comply with the DFS part 500?. Maria Vuulo: Uh, essentially it’s any business that is regulated by DFS, which means that they’re operating under a license, a charter, some kind of a permit or authorization to do business in New York under the banking, the insurance, or the financial services law. Maria Vuulo: So, that’s quite broad. Maria Vuulo: It’s financial services, but it includes banks, insurance companies, insurance agents, mortgage lenders, brokers, money transmitters, and cryptocurrency exchanges and also credit reporting agencies were added uh pursuant to a separate regulation that I did when I was superintendent. Maria Vuulo: There are some exemptions uh but it is important to note that these exemptions are very limited. Maria Vuulo: They’re limited to certain smaller entities. Maria Vuulo: If anyone uh wants to claim the exemption, they should read carefully the exemption provision. Maria Vuulo: It really is for very small entities. Maria Vuulo: But even if you qualify for an exemption, it doesn’t mean you’re completely exempted. Maria Vuulo: Even those who qualify for exemptions from certain requirements must still have a cyber security policy and program and must still comply with the third party vendor provisions. Maria Vuulo: Of course, if the entity does not have an information system or data, then it’s not required to comply. Maria Vuulo: because they don’t have the information systems that are in need of protection from cyber security breaches. Maria Vuulo: Uh or if you’re covered by some other entity’s program and that other entity uh certifies compliance for you as well uh then um the exemption would apply and these exemptions have to be reviewed annually. Maria Vuulo: So when businesses grow they may uh then become obligated under additional requirements. Maria Vuulo: So how else does this regulation apply. Maria Vuulo: So there’s the nature of the entity that you must have and then there’s what does it imply?. Maria Vuulo: It basically applies to all non-public information. Maria Vuulo: Uh and that is as I mentioned earlier both business related information and personal consumer information. Maria Vuulo: Business related information must be protected where if there is an unauthorized disclosure that would cause a material adverse impact to the business. Maria Vuulo: And this gets to an important part of this regulation, which is that even unsuccessful breaches are covered by the regulation. Maria Vuulo: And the the test is really whether or not an unauthorized disclosure would cause material adverse impact to the business. Maria Vuulo: And why did we care about this even if it wasn’t personal consumer information?. Maria Vuulo: And that’s because a business inter Corruption in financial services has great in implications for the economy as well as for the customers of that business even if the breach doesn’t actually reveal their personal consumer information. Maria Vuulo: So the regulation encompasses that as well as well as of course personal consumer information and healthcare information. Maria Vuulo: Uh so what is a cyber security event that again is covered by the regulation?. Maria Vuulo: Uh because the cyber program must be designed to detect an event, to respond to an event, and to recover from an event. Maria Vuulo: And a cyber security event is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to or disrupt or misuse an information system or information stored on such information system. Maria Vuulo: So again, And it’s an act or an attempt whether or not successful to gain unauthorized access to an information system. Maria Vuulo: And this is incredibly important because the notice requirements include providing notice to DFS of cyber security events, including those that don’t actually lead to actual unauthorized access to the information. Maria Vuulo: And people say, well, why?. Maria Vuulo: And that’s because even an unsuccessful access reveals something about the program and the controls that one should learn from and that the agency uh wants to know about. Maria Vuulo: So this is incredibly important because you could learn from unsuccessful events just like successful events which of course we prefer not to have successful events. Maria Vuulo: Um risk assessment this is critically important because the risk assessment drives every aspect of the cyber security program. Maria Vuulo: If really there’s anything that the regulation is founded upon, it’s upon the institution’s obligation on at least an annual basis to conduct a risk assessment. Maria Vuulo: And I mentioned this before, every institution has different levels of risk within the business units. Maria Vuulo: There could be different levels of risk. Maria Vuulo: depending upon uh the nature of the business. Maria Vuulo: For example, a certain business unit that has more access to customer information may have a higher level of risk just like a business unit that does more dealings in say a bank that has higher levels of sort of customers from different locations might have greater risk just like an information system that is older uh might be more compromised. Maria Vuulo: So one needs to do this risk assessment and identify the different levels of risk and then adapt a program to mitigate those risks and the program might be very different based upon the different levels of risk. Maria Vuulo: Importantly it must be periodically updated and it must be in writing. Maria Vuulo: So cyber security program again based on the risk assessment. Maria Vuulo: So that’s the foundation. Maria Vuulo: And then the institution has the obligation to set out a cyber security program that both identifies and addresses the risks to the security of the non-public information and protects the information systems including again information systems that may be accessed by third-party vendors. Maria Vuulo: The program must also uh address not only the detection of cyber security events but also the ability to respond and the ability to recover from a cyber security event. Maria Vuulo: Cyber security policy. Maria Vuulo: So we talked about the risk assessment. Maria Vuulo: We talk about a program that has the controls that addresses the risks and now there must be a cyber security policy. Maria Vuulo: This is also very foundational. Maria Vuulo: Uh the cyber security policy must be written and approved by the board of directors or a senior officer. Maria Vuulo: So that’s the governance aspect of this. Maria Vuulo: This the regulation is not intended to keep everything in the CISO’s uh obligation. Maria Vuulo: It’s intended to create a governance framework so that there are high level officers that are involved in both the design and the implementation of the cyber security policies and programs. Maria Vuulo: Uh every cyber security policy must must include certain things. Maria Vuulo: Obviously, the risk assessment, access controls, business continuity, incident response, vendor management and protection of obviously business and customer data. Maria Vuulo: I mentioned the chief information security officer, the CISO, which most institutions have uh certainly the large ones have CISOs. Maria Vuulo: The CISO is responsible for overseeing the cyber security program. Maria Vuulo: The regulation has some other very important requirements. Maria Vuulo: It requires that the CESO report to the governing body of the institution at least annually. Maria Vuulo: Why?. Maria Vuulo: Because there have been circumstances where CISOs have felt that they’ve been put in, you know, an obligatory situation where they are solely responsible and yet they don’t have access to senior management for things like resources to be able to have an adequate program or you know people that would help them and support them in the program. Maria Vuulo: So we wanted this again governance framework so that the CISO must at least annually report to the governing body. Maria Vuulo: We also made clear that the CISO has to be qualified uh for the role but we also made clear that the title is not really what we’re talking about, we’re talking about the position, the responsibilities. Maria Vuulo: So, if there’s someone that has other roles in a small institution, you know, can also have the seesaw role. Maria Vuulo: It really all depends on the institution, but it’s not the title. Maria Vuulo: It’s really the position and the obligations. Maria Vuulo: And we also make clear that uh the regulation says that it can be outsourced to a third party. Maria Vuulo: But again, anything to third parties, the covered entity still remains responsible. Maria Vuulo: for compliance with the regulation. Maria Vuulo: So I talked about qualifications of a CISO. Maria Vuulo: The regulation also specifies in 500.10 that cyber security personnel must be qualified sufficiently to manage the entity’s cyber security risks. Maria Vuulo: So not only the CISO but other personnel in the organization that are responsible for working on cyber security must must have certain levels of qualifications. Maria Vuulo: Obviously, there’s nothing prescriptive about this, but I think we all know what a qualified person uh would be in this area. Maria Vuulo: And so, that’s uh critically important. Maria Vuulo: And the other thing that the regulation mandates is training uh and the training that is mandated is is for cyber security personnel. Maria Vuulo: So, people who are responsible for cyber security must not only be qualified, they must be trained and very importantly they must be trained and provided with updates on an ongoing basis because we know that in cyber security this risk is an ongoing question and there are always new events and new opportunities for learning to further strengthen the controls. Maria Vuulo: And therefore the personnel who are responsible must be on an ongoing basis provided with updates and training to address um changing nature of cyber security and cyber security threats. Maria Vuulo: And in addition, training is also required for all employees that have access to information systems. Maria Vuulo: And this I think can be uh explained very simply in the knowledge that the overwhelming majority of cyber security breaches are preventable and the overwhelming majority of breaches are things like malware. Maria Vuulo: fishing things where employees are the recipients of certain intrusions and active ways that give the hacker access to the systems like clicking on a link that they shouldn’t be clicking on to or addressing a malware attempt in a way that actually gives the intruder or the potential intruder access into the systems. Maria Vuulo: So training on an ongoing basis of all employees is really critical. Maria Vuulo: important. Maria Vuulo: You could have the most the strongest cyber security program, but if your employees make mistakes, uh give people access that they shouldn’t um then you’re going to have a cyber security breach. Maria Vuulo: So, I I can’t stress enough the importance of training. Maria Vuulo: Um the regulation also addresses uh things like penetration, testing, encryption, access controls, and audit trail. Maria Vuulo: uh and these are detection uh type uh requirements. Maria Vuulo: So in terms of detection the cyber security program must include either continuous monitoring which is with a technological device there’s a continuous monitoring of the potential for breach where the organization will find out if there’s a breach or if there’s vulnerabilities or you have to do. Maria Vuulo: So if you don’t have a continuous monitoring program, you must do at least annual penetration testing and bianual vulnerability assessments. Maria Vuulo: And there are many uh organizations that provide this if the institution doesn’t have uh the staff on hand to do it. Maria Vuulo: But these are requirements of the regulation again to ensure that the controls in place are adequate and working properly. Maria Vuulo: Uh, of course, the program also has to have uh access controls and privileges requirements. Maria Vuulo: Uh, we’ve all seen this with um you have to have passwords and we’ve all seen that sometimes if you don’t uh use an account uh for a certain period of time, you may be asked some other question uh that only you know the answer to. Maria Vuulo: That’s multifactor authentication. Maria Vuulo: And it’s very very important again for in institutions to have these types of controls to prevent employees from giving access and preventing hackers from having some information and being able to access the system. Maria Vuulo: So incredibly important to deal with access controls and limit the number of people who actually have access to information systems and business and customer information. Maria Vuulo: Um the regulation also requires an audit trail uh which is is uh necessary in the event of an attack where the systems may need to be shut down. Maria Vuulo: You need to have or that the hacker has shut down the systems. Maria Vuulo: There needs to be an audit trail so that the business can get back up and running and has uh a trail of information such that it can get back to um to business going forward. Maria Vuulo: Uh encryption uh is a a very important requirement that the regulation uh that’s forth and encryption is both in communications in transit as well as at rest. Maria Vuulo: Um and we also put in the regulation that if the CISO determines that for the organization or for a particular information system that encryption is deemed infeasible because sometimes encryption makes it difficult to perform certain business operations. Maria Vuulo: Well then there must be effective alternative compensating controls. Maria Vuulo: So it’s very important that encryption is definitely the preference. Maria Vuulo: Uh and if encryption is going to be replaced by something else, those controls must be effective as effective as encryption. Maria Vuulo: There have been a number of cyber security events that if if there was adequate encryption, the amount of damage would not have been as great. Maria Vuulo: Equifax is one of the best examples of this because the hacker got into one system and because of the lack of se segmentation and encryption uh that hacker was able to access multiple systems and cause much greater damage than had encryption been used. Maria Vuulo: Um so we talked about cyber security events program policies CISO control So now we’re in the scenario of really we all know that we want we want to have as strong as controls but cyber security events unfortunately will happen and while we want as strong controls as possible to prevent them from happening there are very clever actors out there some are nation states and we know that this is a very serious problem that is going to be ongoing. Maria Vuulo: So it the regulation mandates that the institution have a written plan, an incident response plan for if a cyber security event happens. Maria Vuulo: And that plan has to be able to first of all detect the event uh as quickly as possible. Maria Vuulo: That has not been the case in a number of very public events that we’ve learned that the hacker was in the system for a while before the hacker was detected. Maria Vuulo: And of course, caused greater damage as a result of that. Maria Vuulo: But also the plan must have response to that. Maria Vuulo: So it should be in writing so that if something happens, the organization goes right to the plan and people know how to respond, who to contact, what to do, and very importantly, how do you recover?. Maria Vuulo: How do you recover the systems?. Maria Vuulo: How do you recover the information?. Maria Vuulo: How do you recover so that the business can operate while protecting consumer and business information on an ongoing basis. Maria Vuulo: So very very important incident response plan. Maria Vuulo: I mentioned uh the notices of cyber security events uh that are reportable to DFS and that they can be um that they’re either successful or unsuccessful. Maria Vuulo: Reach is very important. Maria Vuulo: February 15th is the annual date. Maria Vuulo: So DFS uh regulated entities every February 15th must submit uh a certification of compliance. Maria Vuulo: third-party service provider policy. Maria Vuulo: I have talked about this a bit already and how this was a groundbreaking part of the regulation because while the regulation puts the onus on the regulated entities to be responsible for cyber security compliance. Maria Vuulo: It is also well known that there are many thirdparty service providers that have access to information and access to information systems. Maria Vuulo: And so the thesis of this is if you are transferring your information to a third-party service provider and that information is of a business or consumer non-public information, then you must assess the risk of those providers on an ongoing basis and ensure that the third-party service providers have cyber security programs, policies in effect effectively to comply with this regulation. Maria Vuulo: And so the idea is uh that the covered entity has the responsibility and therefore must do regular reviews of their providers and any new thirdparty service provider on the intake will need to be assessed for cyber security among other things that might be assessed in a contractual negotiation. Maria Vuulo: Uh So what exactly does the third party service provider security policy require?. Maria Vuulo: It requires the covered entity again the bank, the insurance company, the financial services firm uh must address the risks associated with its third party vendors. Maria Vuulo: So it must have its own policies and procedures internally in the organization to address third party service provider. Maria Vuulo: Basic thing you somebody in the organization not contract with a third party to perform certain services for the organization that may involve non-public consumer or business information without going through some kind of a procedure and due diligence of that vendor to ensure the adequacy of that vendor’s cyber security practices and procedures. Maria Vuulo: The covered entity must pro conduct a periodic assessment of the risk faced as a result of the data accessed by thirdparty providers. Maria Vuulo: So if customer information is provided to a vendor uh that vendor must be go through a process uh that and the covered entity must ensure that that vendor has the adequate controls to protect that information held at that third party vendor because the covered entity will be responsible to DFS if there’s a breach even if that breach is through the third party vendor. Maria Vuulo: The covered entity’s due diligence of third party service providers must include a review and due diligence of the third parties policies and procedures for access controls. Maria Vuulo: The third party’s use of encryption obviously critically important requirements for notice of a cyber security event. Maria Vuulo: So a requirement that the third party notify the covered entity if they have been the victim of a cyber security event either successful or unsuccessful and also the due diligence must include certain considerations of representations and warranties in the contractual uh provisions relating to the security of the covered entities non-public information that the third party is accessing. Maria Vuulo: So what are the best practices for vendor management?. Maria Vuulo: Uh because this is such a new requirement went into effect March one of 2019 uh and is an ongoing uh process of vendor management. Maria Vuulo: Best practices first and foremost to establish a companywide process for gathering information on existing vendors and for onboarding new vendors. Maria Vuulo: And that process must be ongoing because your vendors change. Maria Vuulo: Your vendors may be acquired by another company. Maria Vuulo: They may acquire other businesses. Maria Vuulo: They may have changes in their security and their information systems. Maria Vuulo: So there must be again a governance framework of a companywide process to gather this information on a regular basis. Maria Vuulo: The process must be organized and documented. Maria Vuulo: And let me stress that word documented because no process is really worth much unless you document it so that people know what the flow is. Maria Vuulo: And if there is an event, you have the documented process in the event the regulator has any questions or might launch an investigation. Maria Vuulo: If you have an organized and documented process, even in the event of a breach, so long as your process was sound, so long as your controls were sound and adequate and reasonable, so long as you did the job you were mandated to do, the fact that there’s a breach doesn’t necessarily mean that there’s a violation. Maria Vuulo: of the regulations because as I said before breaches will happen and sometimes they happen even in the strongest most protective uh institutions. Maria Vuulo: Um and for the vendor management best practices again annual information gathering. Maria Vuulo: Does the vendor do a risk assessment?. Maria Vuulo: Does the vendor update policies and programs?. Maria Vuulo: Has the vendor experienced any breaches?. Maria Vuulo: Are the personnel at the vendor qualified?. Maria Vuulo: and trained uh like the DFS rag requires of the covered entity itself. Maria Vuulo: Other best practices again due diligence of the third party vendors should include things like reviewing the vendor’s cyber security policy, reviewing the vendor’s risk assessment, again assessing personnel and training, asking questions about the vendor’s systems. Maria Vuulo: I mean we know that some of the legacy systems are are more subject to compromise than a newer system may be. Maria Vuulo: Uh now age is not always the determination of it but certain legacy systems may have greater risks. Maria Vuulo: So we should ask those questions. Maria Vuulo: Has there been a recent merger?. Maria Vuulo: Critically important because some of the major cyber security events as it has turned out is some of the reason for the vulnerability is because there were a number of mergers or acquisitions and the company did not on board in ways that were consistent with strong enough controls. Maria Vuulo: Um, and they may have created greater risk because of the acquisitions or you’re acquiring a company that has legacy systems that have greater risk. Maria Vuulo: Segmentation also very important and that’s do the information systems all connect to one one another?. Maria Vuulo: Are they segmented such that if the intruded gets into one they cannot get to the others. Maria Vuulo: Uh these are issues that need to be uh asked about. Maria Vuulo: Uh segmentation is not necessarily a requirement because there may be good reasons to integrate systems but the consideration of controls when systems are not segmented needs to be uh further explored. Maria Vuulo: Again the use of encryption by the vendor. Maria Vuulo: Uh does the vendor conduct pen testing and vulnerability assessment?. Maria Vuulo: What’s the vendor’s access controls and security uh policies?. Maria Vuulo: And again, has the vendor itself suffered any breaches?. Maria Vuulo: Those questions should be asked. Maria Vuulo: Contractual requirements. Maria Vuulo: Now, again, as I said, there was a two-year process for the vendor management provision of this regulation, and part of that was the recognition that there’d be existing vendors under existing contracts and of course not being able to obviously breach contracts. Maria Vuulo: But now that there’s an ongoing process, very strong consideration should be given to imposing contractual requirements on third party vendors addressing cyber security obligations. Maria Vuulo: Restrict the vendors, for example, on access to certain information systems as much as as possible for purposes of the vendor’s work. Maria Vuulo: Not every person at the vendor should have access to that information system. Maria Vuulo: And what process is undertaken by the vendor in terms of decisions as to who should have access to um to the information systems of the covered entity and again providing for required notice of rebel events in a contractual uh context is a very good idea. Maria Vuulo: Some mistakes to avoid in vendor management. Maria Vuulo: First and foremost don’t wait for there to be a problem. Maria Vuulo: As I said the vendor management proision ision of the DFS 500 regulation went into effect on March 1, 2019. Maria Vuulo: It’s an ongoing obligation. Maria Vuulo: Uh there may be institutions that have perfectly complied with this provision. Maria Vuulo: Uh but it is an ongoing obligation and there also may be institutions that have not perfectly complied with this provision. Maria Vuulo: And what I would say is don’t wait for there to be a problem. Maria Vuulo: Address it as quickly as possible. Maria Vuulo: Get the policies in procedures, go through the the processes, go through the due diligence, uh, and do it on an ongoing basis. Maria Vuulo: Uh, again, mistakes to avoid. Maria Vuulo: Any work that’s that you do that’s not documented is going to be equivalent to not being done because if you haven’t documented, then you won’t be able to actually show a regulator, a class action plaintiff’s lawyer, or whoever the um, person will be that’s going to criticize you for any breach. Maria Vuulo: Um, you know, have the process and the work that’s being done adequately documented. Maria Vuulo: Uh, again, assume that cyber breaches will happen. Maria Vuulo: I think too many times people assume it’s not going to happen to me. Maria Vuulo: I’m too small or I’m not the subject of a sort of a public attack. Maria Vuulo: You just don’t really know. Maria Vuulo: So, just make sure you have mitigation measures and make sure you have an incident response program. Maria Vuulo: Also, don’t assume that large vendors are necessarily better than smaller ones. Maria Vuulo: There’s no one-sizefitsall here. Maria Vuulo: It really all depends on what the company is, what their systems are, their personnel, their qualifications. Maria Vuulo: Uh, that being said, in addressing vendor issues, be careful of price wars. Maria Vuulo: Be careful of, again, a less expensive vendor might be better than a more expensive vendor, but be careful of price wars that may create an incentive to hire a less expensive vendor that may not actually have the better product, the better systems. Maria Vuulo: And at the end of the day, if that results in a breach, the cost to the institution, both financial, operational, uh, you know, penalties from regulators, um, reputational harm that comes with a a very public breach. Maria Vuulo: It’s not worth the sort of on the front end because the the risk is much greater in the long run. Maria Vuulo: Um so the money should be spent on the front end. Maria Vuulo: Uh and again um you know another mistake to avoid is the organization should not simply think that security of systems is the IT personnel uh because it’s a much larger issue. Maria Vuulo: It’s a compliance issue. Maria Vuulo: It’s an issue that goes to the heart of the business. Maria Vuulo: Um uh functioning of the institution. Maria Vuulo: Um you know there has been talk about a cyber security event is probably the greatest risk that our financial system faces. Maria Vuulo: Uh so it must be part of a broader uh industrywide companywide process high level people getting involved uh to ensure not only that uh the protections are there for compliance with the red but also the vendor management agement provisions of the regulation. Maria Vuulo: So, a few real quick things before I’ll take some questions is um on the insurance side um the DFS regulation, as I said, went into effect in March of 2017 and uh in in later in uh 2017, the National Association of Insurance Commissioners approved a model law that was modeled after the DFS regulation. Maria Vuulo: It also includes vendor management provisions uh and it has a provision that says if the institution complies with uh part 500 uh the institution also complies with the body law. Maria Vuulo: The point being of this is that there are states implementing uh these protections uh across the country and so this is not necessarily just a New York compliance question. Maria Vuulo: It has much broader implications but compliance with the DFS regulation will uh be helpful. Maria Vuulo: in the event that there’s outside of New York any issues of compliance whether it be in the regulatory environment or the legislative environment in other states and that brings me finally to New York’s shield act. Maria Vuulo: Now we you know number of states have uh you know imposed you know separate requirements uh we know that California has a very strict um uh requirements on consumer protection uh in terms of you know safeguards of data their privacy. Maria Vuulo: New York last year passed what’s called the New York Shields Act which broadly applies to all companies that have private information of New York consumers. Maria Vuulo: So it is quite broad. Maria Vuulo: It is extra territorial in the sense that even if the company is not based in New York, if they have private information of New York consumers, they are subject to the Shield Act. Maria Vuulo: And the Shield Act requires so there’s a mandate of a requirement of reasonable safeguards to protect the security, confidentiality, and integrity of private information. Maria Vuulo: It’s a pretty broad concept, but I think what’s important is the reasonable safeguards language. Maria Vuulo: And the the statute references the things that I’ve been talking about for the past 40 minutes, risk assessment, incident response, training, and yes, vendor management. Maria Vuulo: Uh, and the statute makes clear that if you comply with DFS part 500 that you comply with the shield act. Maria Vuulo: So that has two significant implications. Maria Vuulo: One is any bank insurance company or other you know entities subject to DFS’s jurisdiction if they are in compliance with part 500 then they’re in compliance with the shield act. Maria Vuulo: But the second thing that I believe arguably this meets is that if the covered if the company is not a DFS regulated company because the Shield Act applies to all companies in any industry that have private information of New York consumers. Maria Vuulo: But if those companies are looking for what does reasonable safeguards mean, how do I comply with this statute?. Maria Vuulo: I would say a very good framework of what is a reasonable safeguard is the New York DFS part 500. Maria Vuulo: because it provides the framework of what are considered reasonable safeguards. Maria Vuulo: Certainly from a regulatory standpoint, but the applicability to the Shield Act uh is something that is a is a strong argument to be made for any company, not just a DFS regulated entity. Maria Vuulo: One final thing on this is that the Shield Act, unlike California’s statute, the enforcement of the Shield Act is the New York York attorney general. Maria Vuulo: So there is no private right of action. Maria Vuulo: Uh the enforcement is the New York Attorney General and there’s penalty powers of the New York Attorney General as well as other um powers of the attorney general in enforcing the shield act. Maria Vuulo: Of course, New York DFS is the enforcement authority of part 500 of the financial services companies regulated by DFS. Maria Vuulo: But as to the other uh companies that are covered by the Shield Act. Maria Vuulo: It’s the New York Attorney General. Maria Vuulo: Although that enforcement is more limited, I still think, you know, there are there are there are uh common law claims out there that private lawyers, class action lawyers could bring in the event of a breach, and they might very well use the provisions of the Shield Act as an argument for why there hasn’t been uh adequate sort of compliance, but there’s not an actual ual cause of action under the shield act for anyone other than the New York attorney general. Maria Vuulo: So quick summary is take these laws seriously. Maria Vuulo: Take the regulations seriously seriously because if you don’t there’s legal, regulatory, financial, operational and reputational risk. Maria Vuulo: Review and update policies and procedures on an ongoing basis. Maria Vuulo: Conduct and document internal processes for all of the things that the regulation requires vendor management is a key aspect of an adequate cyber security program. Maria Vuulo: The CISO must have adequate resources. Maria Vuulo: The CISO must have that through senior management. Maria Vuulo: There must be qualified personnel. Maria Vuulo: And finally, training, training, training. Maria Vuulo: So many events can be prevented by the ongoing training and education of all employees. Maria Vuulo: And with that, I’m happy to take questions with whatever time is remaining. Maria Vuulo: training. Maria Vuulo: So, Peter, I would turn that over to you. Peter Schumacher: Yeah, thank you, Maria. Peter Schumacher: Um, excellent information. Peter Schumacher: A lot of I think you struck a chord with our audience. Peter Schumacher: They were definitely paying attention as we have a number of questions that have come in. Peter Schumacher: Um, a lot of good advice you provided. Peter Schumacher: Um, so what I’m going to do now is I’m going to launch a polling question and that’ll just remain on your screen as we go through the Q&A section uh here. Peter Schumacher: So, I’m launching that now. Peter Schumacher: Everyone should see a quick question. Peter Schumacher: It’s basically um asking if you’d like to set up a follow-up meeting with Prevalent on how we might be able to help. Peter Schumacher: you uh um help you with the NFDFS uh regulations. Peter Schumacher: So, um or comply with those. Peter Schumacher: Um so, let me get to the first question here. Peter Schumacher: And I think some of these you may have touched on um they’ve come in throughout the presentation, so I think you may have expanded on some of these already, but um worth repeating in some cases. Peter Schumacher: So, the first question was um are third parties covered by these regulations or is the scope limited to vendors. Maria Vuulo: So I I don’t know what is meant by third parties. Maria Vuulo: So the regulation itself, the DFS part 500, the the the entities that are covered by the regulation are the DFS regulated entities. Maria Vuulo: So the banks, the insurance companies, the money transmitters, the financial services companies, the credit reporting agencies that are subject directly to DFS regulation. Maria Vuulo: If you are a third-party vendor that is not a financial services firm, it is not directly covered by the DFS regulation. Maria Vuulo: However, if that third party vendor is contractually connected to a financial services uh company that is subject to the DFS regulation, then the um the financial services covered entity will go through the due diligence of the third party and you can be sure that if there’s a problem in the future because there’s a breach in a third party’s you know because of the third party’s access controls not being sufficient that that third party may very well be subject to an investigation by DFS or somebody else uh whether it be just as a witness or some argument that um you know they did not provide you know, accurate information or did not have adequate controls. Maria Vuulo: And of course, third parties are subject to uh the New York Shields Act, and that would be uh New York Attorney General Enforcement. Peter Schumacher: Got it. Peter Schumacher: Okay, that makes sense. Peter Schumacher: Um, next question here is um on slide 10, I think we mentioned that an exemption must be filed annually. Peter Schumacher: I think that that um folks notice it may be a discrepancy with what the DFS website. Peter Schumacher: It says um it says that if you’ve previously filed an exemption and nothing has changed, you don’t have to refile an exemption. Peter Schumacher: Is it possible something’s changed or. Maria Vuulo: No, that’s a good point and I um I agree with that. Maria Vuulo: You know, it the the obligation is on an annual basis to kind of review the question as to whether or not um you are still subject to the exemption and if you are if you believe that you’re still subject to the exemption then you don’t need to again file the same document because nothing has changed but you need to go through that process on an annual basis because if there is something that has changed and even before the annual basis if there is something that has changed then you need to notify uh DFS because then your obligations under the regulation will have changed. Peter Schumacher: Got it. Peter Schumacher: Okay, thank you. Peter Schumacher: Uh, next question is, what events trigger filing a suspicious activity report?. Maria Vuulo: Okay, so suspicious activity reports are separate from cyber security. Maria Vuulo: So, part 500 deals with the reporting to DFS of cyber security events which are the the sort of attempts, you know, acts to intrude on an information system that has business or uh personal information. Maria Vuulo: Suspicious activity reports, if this is what the person is talking about, SARS are uh requirements of federal law that are also enforced by DFS. Maria Vuulo: But SARS reporting goes to Fininsen, which is a uh institution that is part of the United States Treasury and suspicious activities tend to be more in the nature of um you know money laundering concerns, financial crime, uh things like that usually within banking institutions. Maria Vuulo: Now there could definitely be a circumstance of suspicious activity that is a cyber security issue that might also require the filing of SARS. Maria Vuulo: But that’s Those are very separate and different requirements that come out of uh the US Treasury uh and Fininsen in particular for the filing of suspicious activity reporting for law enforcement purposes. Peter Schumacher: All right. Peter Schumacher: Um more questions coming in by the minute here. Peter Schumacher: So let me I’ll I’ll stick with the ones that came in during the presentation. Peter Schumacher: This is an interesting one. Peter Schumacher: Uh with regard to CISO qualification is detail about what that entails. Peter Schumacher: Are there certain certifications, trainings?. Peter Schumacher: I know that I’ve met plenty of CISOs where I’ve questioned their qualifications. Peter Schumacher: None of them are on this webinar. Maria Vuulo: No, there is nothing um specific in the regulation as to what kinds of of qualifications would be required. Maria Vuulo: And that, you know, that’s in intentional because um you know, we all know that there are different ways of assessing one’s qualification. Maria Vuulo: There could be somebody who has certain you know titles or you know even you know academic uh degrees but actually is not qualified to be a CISO in a certain type of an institution. Maria Vuulo: Um so there are various ways that someone can be qualified for the task and um that needs to be assessed first and foremost by you know the institution. Maria Vuulo: Uh I mean obviously if you want to um you know if people have certifications, if people have levels of experience in other institutions, you’re safer in satisfying that requirement. Maria Vuulo: But we also know that there are universities and programs uh all over the country and actually over the world where specific training on cyber security uh it can be actually better than going through, you know, a top university where you had a liberal arts degree. Maria Vuulo: So, it really depends on the nature of the education and the experience. Maria Vuulo: And I didn’t want to be prescriptive on that because I just know that people come to their roles uh with different levels of experience and to not prescribe something uh that fine uh for that requirement. Peter Schumacher: makes sense. Peter Schumacher: Um I guess there’s still hope I can still be a CISO someday,. Maria Vuulo: maybe. Peter Schumacher: So, uh, next question here is, what does the risk assessment need to include?. Peter Schumacher: And it’s kind of a two-part question. Peter Schumacher: And then, what makes a general risk assessment different from penetration and vulnerability assessments?. Maria Vuulo: Okay. Maria Vuulo: So, a risk assessment is, it’s a good question. Maria Vuulo: A risk assessment is the business units of the company obviously managed somehow centrally must assess the risk of the different business functions. Maria Vuulo: Uh so a bank may have different lines of business. Maria Vuulo: Some of those businesses are at greater risk. Maria Vuulo: So the the business that’s at greater risk may be the business that has um you know more customer information on a regular basis. Maria Vuulo: Um or you may have some business that has a greater risk because the information system is older and and doesn’t have as many controls. Maria Vuulo: So the risk assessment is really it is an assessment of these are the different business units and do I give it a high, medium, low risk. Maria Vuulo: Uh but it needs to be very thorough and in writing and I I will say there are there are standards out there to conduct risk assessments. Maria Vuulo: FFIC does this which is a sort of a federal organized um um sort of governmental uh type organization. Maria Vuulo: There are many third parties that do risk assessments on a regular basis. Maria Vuulo: So there’s definitely a man to do it. Maria Vuulo: Penetration testing is actually and and some people can do it internally or you hire a vendor to do penetration testing which is a technological assessment where people try to act as hackers, people who are experienced, right, cyber security professionals who can pretend that they are hackers or do something to see if they can access the system and a pen testing exercise uh will then cause the company to be able to assess their vulnerabilities. Maria Vuulo: Same with vulnerability assessments. Maria Vuulo: And again, these are tools that are used um to uh to assess whether the controls that are being applied are adequate to prevent the intrusion by the hacker, the third party seeking entry. Maria Vuulo: Whereas the risk assessment is an internal process to assess the different risks that the business has and the business units has in order to devise appropriate policies to match those risks. Maria Vuulo: I hope that answered it. Peter Schumacher: I hope so too. Peter Schumacher: Um, I guess we’ll find out if it didn’t answer the question. Peter Schumacher: Just send me a note privately here and we’ll see if we can get you more information. Maria Vuulo: and people can contact me as well. Peter Schumacher: Wonderful. Peter Schumacher: Uh, time for I think two more questions. Peter Schumacher: Let me just get a clarification first. Peter Schumacher: Um, as this came in a couple times. Peter Schumacher: Uh, the question was whether the compliance certification to the board date is still February 15th or has it moved up to April 15th. Peter Schumacher: So, it’s possible that it it moved. Peter Schumacher: I know if you you know Marie. Maria Vuulo: um you know that’s um I I did hear that uh so if that you know I’m no longer at DFS in the regulation um we put a February 15 date. Maria Vuulo: I did hear recently uh that that date may have been moved. Maria Vuulo: Um so if that’s the case I guess all I would say is you know if if you’re a regulated entity just make sure that you you’re keeping in touch and if there’s a communication from BFS uh that that um that that is uh being followed. Maria Vuulo: Uh obviously if you did it by February 15th, you’d be ahead of the game. Maria Vuulo: There is a second requirement. Maria Vuulo: So I had done um the February 15 for cyber security and then there’s an April 15th for part 504 which is the transaction monitoring regulation that I had also done and I had done two different dates for that. Maria Vuulo: But again, if those dates have been changed by the current um superintendent, then obviously people should follow those dates. Peter Schumacher: Cool. Peter Schumacher: And as as I think the disclaimer usually states, check the DFS website for further information or most up-to-date information. Maria Vuulo: Correct. Peter Schumacher: We’ll point you there. Peter Schumacher: Um and we’ll have this as our last question due to the time. Peter Schumacher: Uh it says unsuccessful attempts must be reported to NYDFS. Peter Schumacher: That’s a question. Peter Schumacher: Uh does that mean all intrusion events detected by by IPSIDS have have to be reported and then if so how often and so we’ll let you start there. Maria Vuulo: So um the the notice requirement is a 72hour notice requirement meaning that the obligation to report to DFS is within 72 hours of a determination. Maria Vuulo: So that the comp clearly the company has to know and the company has to determine that it’s a reportable event and then it has to be reported in DFS uh within 72 hours and the notice. Peter Schumacher: I think. Maria Vuulo: sorry the unsuccessful attempts so those. Maria Vuulo: so it’s right it’s the same notice requirement for both successful or unsuccessful and the question you know so if if you learn that you had an intruder that made an attempt to disrupt or misuse an information system, but the intruder didn’t actually gain access to information. Maria Vuulo: You still need to report that event because there was an intruder, but the test is really whether if successful there would be a material impact on the business operations. Maria Vuulo: And that That’s you know obviously a subjective judgment call and the balance here is that you know you could learn a lot from unsuccessful events. Maria Vuulo: Unsuccessful events can indicate a vulnerability. Maria Vuulo: So the regulator wants to know about that but the regulator doesn’t want a lot of junk. Maria Vuulo: The regulator doesn’t want every fishing expert, you know, exercise, every, you know, malware. Maria Vuulo: But if it’s something that could have an immaterial event, you know, if if successful could have led to um you know a material uh risk to the business or to the disclosure of personal identifying information then it’s reportable to DFS but again on these questions too I would say you know look at the DFS website because I mean I had done before I left fre you know we did FAQs uh to answer certain questions because as the regulation was you know being uh implemented people had questions very valid questions and we would put up FAQ responses to those questions. Maria Vuulo: So, I would check and if it’s still ambiguous, you know, put in another FAQ um to, you know, and obviously it’s safer to report than not to report, but at the same time, you don’t want to report, you know, every, you know, attempt at a fishing, you know, exercise. Maria Vuulo: So, it is a it is a balance to be struck. Maria Vuulo: And I would say you know, engage with the regulator and uh follow the frequently asked questions and any other, you know, information from DFS on these questions. Peter Schumacher: Wonderful. Peter Schumacher: Uh thank you, Maria. Peter Schumacher: Obviously an expert in your your field and thank you for all the valuable information and advice you provided. Peter Schumacher: Hopefully everyone found this valuable. Peter Schumacher: Um I’m going to end the polling now and uh welcome everyone to join our next webinar. Peter Schumacher: Look forward to seeing you guys again. Peter Schumacher: And thank you, Maria. Peter Schumacher: Appreciate everything. Maria Vuulo: Thank you everybody. Maria Vuulo: Thanks for listening. Peter Schumacher: Bye. Maria Vuulo: Bye. Maria Vuulo: Bye.