Page 203 - Cyber Defense eMagazine June 2024
P. 203

Below, please find a breakdown of the new expectations included in the regulation that you must adhere
            to in order to avoid penalties come May.



            Expanded Scope

            Gone are the days that just banks and insurers have to worry about building a compliant cybersecurity
            program. This new regulation has expanded the scope of applicability to include financial institutions of
            any size and third-party service providers.

            New terms and classifications have also been introduced that extend regulatory events to new events
            and  entities.  For  example,  cybersecurity  “event”  and  “incident”  now  have  their  own  categories.  A
            cybersecurity event is any act or attempt, whether successful or not, to disrupt an information system,
            while an incident is now defined as a cybersecurity event that has occurred at the covered entity, its
            affiliates, or a third-party service provider that may result in ransomware, material harm, or the need to
            notify a government body or regulatory agency.



            Program and Policy Changes

            Financial institutions must now not only conduct independent audits of its cybersecurity program, but also
            make all documentation of these audits available to the superintendent upon request. Furthermore, these
            documents must include “relevant and applicable provisions of a cybersecurity program maintained by
            an affiliate and adopted by the covered entity.”


            There  is  also  more  oversight  now  required  of  corporate  cybersecurity  policies.  Under  the  new
            governance, financial institutions must now have their policies approved annually by the senior officer or
            senior governing body that oversees their compliance, and all procedures must be well-documented in
            accordance with the approved policy.

            For  those  working  to  build  out  their  policies,  regulations  now  recommend  that  all  policies  include
            procedures for cybersecurity factors like data retention, end of life management, remote access, and
            more.



            Governance Expectations

            New  regulations  seek  to  formalize  oversight  of  cybersecurity  programs  going  forward.  Financial
            institutions must now appoint a Chief Information Security Officer (CISO) to present cyber plans, issues,
            and  changes to  the  Board.  The  CISO  should  also  be  heavily  involved  in  annual  reporting,  including
            eradicating any material inadequacies.










            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          203
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   198   199   200   201   202   203   204   205   206   207   208