Navigant's Cyber Risk and Information Security PracticeLearn More


Financial Service Firms – Are You Ready for August 28th?02 August 2017

Financial Services, Risk Management

Regulations are nothing new to the financial service industry, with standards such as Gramm-Leach-Bliley, SEC Cyber Guidelines, and Sarbanes Oxley. However, in the wake of industry-wide security attacks, the New York Department of Financial Services has added a new set of cyber security focused requirements to the ever-growing list.  The cyber security requirements outline a robust cyber security program that all covered entities, from mortgage bankers/brokers to bail bondsman, must develop and follow. The first deadline to meet these requirements is August 28, 2017, and requires all non-exempt entities to:

  1. Develop a cyber security program.
  2. Develop a cyber security policy.
  3. Appoint a qualified Chief Information Security Officer (either internally or through a 3rd party).
  4. Assess and document policies/procedures for access privileges.
  5. Develop a cyber security team and provide them with ongoing training (either internally or through a 3rd party).
  6. Develop an incident response plan.
  7. Begin reporting to the Superintendent in the event that there is a security incident.

Many covered entities under NY DFS are scrambling to develop new policies and procedures to meet the above deadline, but there’s a key component to these requirements that is often missed – the Risk Assessment. Though the DFS does not require the risk assessment to be performed until Phase 2 in March 2018, it is referenced in many of the above requirements and plays a critical role in developing those correct set of policies and procedures. Below are key objectives of the risk assessment:

  • Identify top threats to your organization and the controls that are in place to mitigate those risks.
  • Determine gaps within current policies and procedures against DFS requirements.
  • Prioritize the gaps based on top risks to your organization and the DFS required deadlines.
  • Develop and implement a continuous cyber security program that complies with the DFS Cyber Security Requirements.

Performing a risk assessment is a quick and cost-effective way to identify your top threats and develop your cyber security program in accordance with the DFS standards. COMPASS performs NY DFS compliant cyber risk assessments and is working with covered entities to meet the upcoming and future deadlines. For a quick guide on the DFS timeline, see our NY DEPARTMENT OF FINANCIAL SERVICES GUIDE. To discuss how COMPASS can help you with your risk assessment and other security needs, CONTACT US.

Work With Us Learn How