New York State Enacts Sarbanes-Oxley-Type Controls for Cybersecurity
In the wake of accounting scandals that took down Enron and WorldCom, destroying billions of dollars in equity and shaking investor confidence to the core in the process, the United States Congress passed the Sarbanes-Oxley Act meant to protect investors and punish high level executives when committing misconduct. This change marked a remarkable shift in corporate governance holding individual executive responsible for the integrity of their controls.
In response to breaches in the financial sector such as the 83 million records leaked by JP Morgan Chase in 2014, the New York Department of Financial Services (DFS) issued new regulations, implemented in a staggered schedule. Starting last week, at least one senior executive of the over 3,000 banks, insurers, and other financial services organizations doing business in New York State were required to personally certify that their computer networks were protected by a cybersecurity program appropriate to the organization's risk profile. This is very similar to the Sarbanes-Oxley requirement where the CEO and CFO both attest that the organization has the proper internal controls in place to prevent financial fraud and those controls are routinely audited.
The newly implemented regulations from DFS are designed to provide accountability and oversight of an organization's cybersecurity posture to the senior leadership of the organization and to hold them personally accountable that the proper controls and audits are in place. Financial institutions covered by the rules are required to have the following policies and procedures:
Adopted a cybersecurity program appropriate to the bank’s risk profile.
Adopted cybersecurity policies designed to protect the bank’s information systems and the customer data they hold.
Appointed a chief information security officer “responsible for overseeing and implementing the [bank’s] cybersecurity program and enforcing its cybersecurity policy.”
Engaged qualified cybersecurity personnel (either staff or contractors) to work with the CISO managing the company’s risk.
Developed an incident response plan.
Taken steps to control privileged access to its IT network.