When new cybersecurity regulations from the New York Department of Financial Services (NYDFS) take effect on March 1, 2017, financial institutions will have 180 days to implement them. If you think that doesn’t give you much time to ensure compliance, you are right. To help you prepare, today we provide an overview of the four main areas where affected organizations should be ready to put their resources to comply with the new laws. Although this is by no means a comprehensive guide to the regulations, our aim is to provide you with direction for solid starting points for your information security organization.

Area #1: Establishment of a Cybersecurity Program

If your organization is wondering what to do first, this is an area to prioritize. Your cybersecurity program documents will need to lay out:

Identification of cyber risks

Security policies and procedures

Security emergency response procedures

Disaster recovery

Performance of an annual penetration test

Quarterly vulnerability assessments

A key part of the establishment of a cybersecurity program includes performing a gap analysis to identify the most critical cyber risks in your company and to get an idea of where you will need to direct time and money to address those risks. An initial penetration test early on will also give you a baseline understanding of the degree to which your most critical data is within reach of the “bad guys” in the real world. These actions will give you direction for where to focus first in developing your program.

Area #2: Adoption of a Cybersecurity Policy

The policy must cover several areas, including but not limited to access controls, business continuity, third-party provider management, and security incident response. Of all the areas that need to be covered by the policy, the one that organizations tend to struggle with the most is data governance and classification. Knowing where data are and what level of criticality to assign to the data is difficult and important, and requires significant collaboration among information security (infosec) and IT operations teams. Adopting an effective policy also means the organization must be capable of effectively monitoring systems and networks, and embedding security and quality assurance in the development lifecycle.

Area #3: Appointing a Chief Information Security Officer

The shortage of good security talent in the market does not make this an easy requirement to meet. The right Chief Information Security Officer (CISO) will have technical, management, strategic, and compliance audit skills, and must report directly to the Board of Directors. For most companies, getting the proper person in this role will mean hiring from the outside rather than promoting a security manager from within. If your organization does not feel confident that they have the right skills already on the bench, a better option may be hiring a CISO as a service from a third-party service provider that has a track record of providing similar services.

Area #4: Third-Party Service Provider Management

Along with appointment of a CISO, this is probably one of the areas that organizations will find most challenging. Your third-party service providers must also meet requirements around minimum cybersecurity practices, and you will need to perform proper due diligence procedures to evaluate them. Make sure that you have the right requirements written into your contracts to avoid misunderstandings and disagreements later. We recommend creating a checklist for your vendors to help you ensure that you’ve set the right compliance expectations and that your third-party service providers hit the mark.

Financial organizations have a lot to do within six months in order to remain compliant! The most important things you can do to help yourself meet the compliance deadline are be ready to show that you have a system in place to evaluate risk and outline the control priorities of your organization. Your baseline risk assessment and initial penetration testing will provide the foundation to do this. Remember, you don’t have to do all of it alone. If you are feeling crunched for time or lacking in expertise in certain areas, bring in a professional with the right technical, strategic, and compliance background to do the work fast and do it right the first time.