The New York State Department of Financial Services (NYDFS) has amended cybersecurity requirements for financial services companies to help these companies shore up defenses against cyberattacks. These proposed amendments put additional responsibility on board members and senior executives in the world of risk management. This will lead to internal discussions around the 3 R’s: risk, resilience and reputation.
Discussion #1: Risk
In the proposed amended NYDFS rules, there is clarification around risk assessment and risk-based authentication. The risk assessment is more than just the identification of risk in terms of threat and vulnerability analyses. This extends to mitigation practices and processes and the review of these practices to reduce as much as possible the cybersecurity gaps that may develop with technology and employees. By redefining the potential risk factors and setting up a more robust plan, board members can be better prepared for risk management.
Discussion #2: Resilience
Resilience is a natural development from better risk management practices. Instead of having board members and executives feel overwhelmed by these new proposed amendments, discussions can shine a light on potential exposure and how to increase the level of preparation for a cybersecurity attack. The question is no longer what to do if there is a cybersecurity attack, but what to do when there is one. By candidly discussing these new amendments by NYDFS, companies can impact the effectiveness of their board members and increase the protection of the company’s infrastructure and data. Risk and resilience are intertwined and can be mutually reinforcing.
Discussion #3: Reputation
One of the most intangible yet vital issues is how poor preparation and exposure can harm the reputation of the organization and the board members. Reputations take years to build and only seconds to destroy. For current board members, there may be a concern or fear of not having a full understanding of what is now needed to maintain the cybersecurity health an. For new board members, there may be a resistance to serving on a board if the stakes are deemed too high. By having candid discussions around risk management, and taking action with modifications to processes and additional cybersecurity reviews, board members can feel empowered to step into these revised roles.
With an increased understanding of risk management in this new cybersecurity environment, board members and senior executives will add to their knowledge arsenal. These additions make minimizing a cybersecurity threat more of a possibility, thus increasing resiliency of those individuals. And with more resiliency, there is added protection to reputations.
About the Author
Brian Walker is a cybersecurity advisor and the founder and CEO of The CAP Group, a firm working with directors and officers in the areas of cybersecurity and risk management advisement. His expertise is sought by clients ranging in size from global Fortune 500 to regional G2000. Learn more about the service offering from The CAP Group (https://www.thecap.group/).