Why / What You Should Know About the Proposed NYDFS 500 Regulatory Updates
C1Risk is the leading integrated risk management platform and enables assets to be mapped to associated risks, internal controls mapping to risks, and external control requirements to be mapped to internal controls and policies. Integrate and automate your risk management for complete, continuous security.
The New York Department of Financial Services (NYDFS) will soon be updating the NYDFS 500 requirement. The proposed changes stand to have significant impact on all risk management programs beyond the Finance industry, as the SEC, FTC and the Attorney General’s Office are all following suit and adopting the same/similar requirements.
C1Risk CEO recently sat down with, Rick Borden, Partner in the Privacy and Data Security group at Franklin Kurnit Klein and Selz.
To view or listen to the conversation with Rick, subscribe, follow and listen to our latest podcast: All About Risk: How NYDFS Impacts All Companies
NYDFS Proposed Changes
The key proposed changes are:
Your risk management program design must be based on threats and risks identified by your Risk Assessment process. This brings new heightened importance and scrutiny to the risk assessment process and, arguably, makes the argument for companies to outsource and undergo an independent risk assessment to ensure the right questions are being asked and correctly answered.
However, the risk requirement goes beyond an annual risk assessment. The proposal further requires a process be in place for reviewing and changing programs based upon emerging risk. That process must include risk mitigation and/or acceptance procedures.
Compliance enforcement now rises to the top: the responsibility rests with the CEO (which raises the question of individual versus company liability, as we have seen with recent cases like Uber, Experian). Further, the board of directors must also be informed of risks to the organization and updated accordingly.
Compliance is measured on an ongoing basis: the proposal indicates that a company that is out of compliance for one day is “non compliant” and therefore open to penalization.
Ending on a potentially very positive note, in accordance with the above, the proposal also specifies that CISO must be allocated the appropriate resources to meet the stated requirements. As such, the requirement forces a dialogue between board and/or CEO and the CISO to ensure that the risk management program is adequately funded and resourced.
Ultimately, the new proposal, if fully adopted, will require companies to implement a comprehensive risk management program, requiring both a top down governance and leadership engagement in risk management as well as the more commonly adopted bottom up approaches of risk assessment, tracking and mitigation.
The emerging compliance universe is quickly becoming one of continuous risk management, where policies dictate the risk posture and practices of an organization and are subject to modification based upon continuous evaluation of the company’s risk environment.
How can companies effectively implement a risk program to meet these requirements?
Governance: A top down risk approach that engages leadership in defining risk practices, risk appetite and thresholds is critical.
Automation: Continuous improvement and evaluation simply cannot be implemented without a resource to identify, prioritize and track risk, new risk and risk mitigation.
Integration: Companies need a platform that integrates Policy Management, Risk Management and Compliance to enable a holistic view of assets, risks, controls and issue mitigation for both leadership and the security team.
Steps 1, 2 and 3 culminate in building a culture of risk across the organization where leadership ensures organizational alignment with risk policies, standards and procedures, and alignment of people, process and technology to deliver effective risk management.