New data and web security regulations in New York may be tough for issuers to follow, but there's space in the rules to get help from outside parties.

The law, 23 NYCRR 500) which took effect on March 1, 2017, is in response to the increasing cybersecurity threats posed to customer information.

Recognizing that many firms may not have the necessary skills in-house, the regulations allow for many of these functions to be co-sourced to specialist firms. Indeed, the pervasive skill shortage of IT security talent makes the co-sourcing route an attractive option. Per the Harvey Nash/KPMG CIO Survey 2015, nearly sixty percent of CIOs believe skills shortages will prevent their company from keeping up with the changing pace.

Image: Bloomberg News
New York's new state rules for web crime are a tough compliance challenge, but the regulations also leave space to hire partners to help with the underlying technology work
Image: Bloomberg News

If you are licensed and/or regulated by the New York State DFS, you are now required to assess your specific security risk profile and design a program that addresses your organization’s risks, as well as file an annual certification that confirms you following the regulations. And for those outside of NY, take heed, as this will likely spread to other states.

At the root of all this is IT security mindfulness and the recognition that IT Security is a process, not a project. After all, projects begin and end, whereas security mindfulness is persistent. The requirements can be grouped into two general stages, that is, 1) setup and implementation of a security program, including an owner (CISO) and 2) practice it on a daily basis.

The core of the regulation requires that firms base IT security decisions on sound risk management practices. This means documenting policies and procedures for incident handling and response, monitoring audit trails and training employees. It’s a lot for even mid-size organizations to satisfy, even in sprit much less practice.

Co-sourcing is based on a long-term relationship and emphasizes values traditionally associated with partnering rather than with vending. This is different from outsourcing, in the sense that outsourcing is dumping your problems onto someone else, whereas co-sourcing is all about working hand-in-hand.

This gives rise to the opportunity for managed security services providers (MSSPs) to aid financial institutions in implementing a cybersecurity program that can identify and assess internal and external cybersecurity risks, detect and respond to cybersecurity events and fulfill applicable regulatory reporting obligations.

Complying with the mandate can be prohibitively expensive for small and mid-size banks, credit unions and financial organizations. Many can’t afford to hire a CISO, even a fractional or interim CISO, or assign the internal resources to fulfill the mandate of “making risk management the core of your security decisions.” This is where MSSP services fill the skill and budget gap.

Technology alone is a small part of the solution. Expert analysts and robust, disciplined and documented processes are the rest.