In this installment of our blog series, Managing Privacy and Risk in Financial Services, we take a closer look at another regulation having impact on the industry.

NY State Cybersecurity Regulation, let me introduce you to ServiceNow’s Vendor Risk and Vulnerability Response The initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ended last month. You’re ready, right? The new”ish” NY State requirement calls for banks and insurers to scrutinize the security of third-party vendors that provide them goods and services. But wait… there’s more. . . more to this regulation, that is.

The highlights:

• Establishment of a Cybersecurity Program
• Adoption of a Cybersecurity Policy
• Chief Information Security Officer
• Third-Party Service Providers

The regulations outline solid security practices like limiting distribution of personally identifiable information or demanding multifactor authentication and requiring organizations to test their cyber security systems. Testing systems…what a great idea! In theory.  The problem is with the cadence of cyber risk certification. The regulation requires vendors to be checked quarterly or annually. It’s like checking the weather every 365 days. Nope…no, rain today. Let’s check again next year. However, this is just the first step. They’re easing into this regulation. The cadence, among other things, will probably change over time in later versions of the regulation.

The combination of ServiceNow’s Vendor Risk, Vulnerability Response, Security Incident Response and Governance Risk and Compliance product is unmatched and unparalleled in addressing this regulation.

At ServiceNow, we understand security needs coverage 365 days per year.

• Detection
• Recovery
• Response
• Audit Trail
• Vulnerability Assessment
• Incident Response Plan
• Remediation

While delving into this regulation, I turned to my colleague Piero DePaoli our Senior Director of Product Marketing, Security Business Unit at ServiceNow to offer insight:

Most financial services organizations have several of the building blocks to comply with much of the NY State Cybersecurity Regulation.  After all, on average, an organization has 75 or more different security products deployed. Here’s the problem: the vast majority of these products are focused on prevention and detection.  In order to truly create a CyberSecurity Program, CyberSecurity Policy and Audit trail – all key components of the regulation – organizations need more.

Here’s where ServiceNow can help.  The regulation clearly states the need for not just prevention and detection capabilities but also response and recovery.  ServiceNow Security Operations includes a Security Incident Response application which can manage the response and recovery process.  It works with a company’s existing prevention and detection products to automatically create a security incident inside of ServiceNow.  Once the security incident is created, it can then be prioritized based on the severity of the problem and the business criticality of the system that has a problem.  This ensures that security teams are working on the most important security problems first.  Next, a series of workflows, along with automation and orchestration can manage the response process, including the routing tasks to the appropriate teams, individuals or even directly to a security product, to take action.  Once the immediate problem is solved, these same workflows can be used to manage the recovery process.  These steps are critical to building and demonstrating a CyberSecurity program.

The legislation also states that the CyberSecurity Policy must include an incident response program.  The Security Incident Response application in Security Operations gives financial institutions the ability to comply with the legislation here as well.  Customers can simply take their paper-based standard operating security response runbook and digitize it on ServiceNow.

Finally, the legislation requires that financial institution have an Audit Trail.  ServiceNow can help here in several ways.  First, the Vulnerability Response application within Security Operations can provide a complete history of when a vulnerable item is found by a third-party vulnerability scanner and when the vulnerability was resolved.  The Security Incident Response application includes a “Post Incident Review” which is a report used by auditing to see every action, time stamp, etc. during the incident response process.  And lastly, the information in all of Security Operations can easily be transferred to ServiceNow Governance, Risk, and Compliance as the current status of a security incident or vulnerability can certainly affect overall risk.

The NY State Cyber Regulation is nice blueprint for financial institutions to follow, even for those who don’t do business in New York.

Piero DePaoli has more than 20 years of experience building and marketing mobility, security and cloud solutions for enterprises. Piero leads product marketing for ServiceNow’s security operations and governance, risk, and compliance solutions.

Check back in on Friday, October 6^th, for the final installment of our blog series Managing Privacy and Risk in Financial Services.

Next post:

Part Six: Rinse and Repeat (IT GRC)

Additional Resources: