Financial R&R: Strengthening Cybersecurity Amid NYDFS Changes

Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:13):
Welcome everyone. This is Ron Borys. I'm here with Ryan Farnsworth, and this is the Financial R&R. For those of you who have been following our regular podcasts, we love to talk cyber. Cyber seems to be always a good topic to discuss. Today's discussion is specific to some of the recent enactments of the New York Department of Financial Services, in connection with some of the cybersecurity requirements and things that are looking to be implemented within the businesses that are within that jurisdiction and oversight of the DFS. With us today, we have David Finz, who is quite a regular on the Financial R&R podcast and our in-house subject matter expert attorney comes to cyber claims, cyber policy wording, and a whole host of other cyber risk things. The other guest we have with us today is CJ Dietzman.

CJ is one of the senior leaders within our cyber consulting business. As many people know, our cyber consulting business has been around now for a little over two years. CJ leads the efforts there in helping our clients find that more rewarding way to manage cyber consulting and understanding all the various things and tools that go along with governance, controls, policies, procedures, et cetera. So CJ, really appreciate you taking some time today with Ryan and I to talk through this very topical, timely and important subject for our viewers.

CJ Dietzman (01:26):
Well, thank you so much Ron, Ryan and David. Always a pleasure to join you fellows for critical topics around risk, security, governance, compliance in financial services. This is a critical moment. Excited to get right into it with you.

Ryan Farnsworth (01:39):
Ron, you mentioned we love to talk about cyber risk during our Financial R&R podcast episodes. It's almost like whether we like to or not, it's something we should talk about. I think that that's probably a similar feeling that boards of directors, senior management teams and leaders have with respect to cyber risk. Part of that reason is because of the activity of the regulators and the activity that they've been pursuing with cyber risk for many, many years. There’s a couple different ways that we want to break that down today with CJ and with David and what insurance aspects are related to those regulations. First and foremost, CJ, I think it would be helpful for our listeners to understand a quick background on the requirements that the New York Department of Financial Services have implemented as recently as November, what they plan to implement in their staged rollout in the coming months, and then we can talk about what the application is for financial institutions. Before we do that, let's jump back and understand what the requirements are and what's changing.

CJ Dietzman (02:40):
Sure thing, Ryan. Let's do that, and we'll do it in an accelerated way. Let's summarize history and also evaluate or at least define where we're at today and what's changed. First things first, going back to 2017, when New York Department of Financial Services enacted these new cybersecurity requirements commonly referred to as 23 NYCRR Part 500, for those keeping score of the regulatory identifiers, largely viewed as landmark regulation wherein New York Department of Financial Services said, this is the bar. If you fall under the banking law, the insurance law or the financial services law, you must have this foundational principles-based, risk-based approach to cybersecurity. As someone who was involved watching and commenting on the very early drafts, I will tell you that I think NYDFS got it right, principles based in that there's nothing new under the sun perhaps. NYDFS really embraced key objectives and elements of security, privacy, data protection, control and resiliency that are common in other frameworks and quite candidly, were already implemented by, I won't say most, but by many, many covered entities that fall under the new requirements. I'd say first things first, going back to 2017, the principles based approach that NYDFS took to these cybersecurity requirements did not include any surprises for financial services organizations who were serious about governance, risk, security, compliance, data protection. I think a lot of these things were already in place, focused on things like security policies, incident response, notifications, audits, penetration testing, dare I say, the blocking and tackling of cybersecurity and controllership, not new to many of these entities. However, there was significance in that this legislation really defined and mandated it.

The other thing I'll say, just very briefly, is the concept that it was directionally aligned and principles based. Covered entities have some leeway and flexibility in terms of how they implement these controls based on their own organizational risk assessment. I think DFS was very thoughtful about that. They were also very thoughtful about defining non-public information or NPI as being one of the determining factors or a critical detriment for cybersecurity requirements. So DFS applied a staged timeline of implementation. Then of course in November 2023 we say, what's changed? What we really want to talk about today is that with the latest amendment going back to November of 2023, there are some enhanced requirements. I'll say it's more evolutionary than revolutionary. How do you like that? However, there are very important things that organizations need to be aware of. So it's a great time, Ryan and Ron, for organizations to take stock of what they were doing previously for DFS compliance or if they have known deficiencies, let's make sure they get it right.

Ron Borys (05:52):
What I really love about this, CJ is we know now since building out our cyber consulting capabilities and all of our risk assessments, we've really tried to make the cyber discussion less about just the insurance and more about how do we work with our customers to properly keep them up to speed with all these evolutions, as you described them, of the way regulators are looking for our customers to prevent incidents to react and respond to incidents. But ultimately, at the end of the day, our goal is to try to help our clients avoid incidents by bringing in you and your team and some of the cyber risk engineers that we have on staff within your world to help CISOs and CTOs truly understand where they believe or where they're perceived to be vulnerable in some of these areas. Because at the end of the day, that seems to be what the purpose of regulatory bodies like the DFS are really focused on.

Again, insurance is great, and as I like to say, insurance is necessary, but when you're talking insurance, typically it's as a result of a failure. Something happened, either a breach event happened or something went wrong, and now the insurance is there to respond. But a lot of the work that you've been doing, and certainly David has been doing, is really helping our clients get out in front of these things, so that that incident either doesn't happen or is less likely to happen. Even more so, allow our clients to be more prepared, not only in the event of an incident, but when the regulators come knocking on their door, making sure that they're adhering to these changes, that they're very well prepared and equipped to respond accordingly. Is that fair?

CJ Dietzman (07:30):
Well said, Ron. I couldn't agree more. Something that I think is a unique opportunity with these DFS cybersecurity requirements, and I'm sincere when I say this as a practitioner, is that two things can be true in that in addressing the DFS cybersecurity requirements from a compliance standpoint, there are some musts in there. It’s a compliance matter, no doubt, and it'll come up in audits and inspections. Having said that, everything in there is so foundational. There's nothing in there that's out of left field, in my view as a security architect and practitioner, where I would say, well, why is DFS going there? No, actually, it really is directionally aligned with foundational blocking and tackling core security, okay? Aligned with some of the things you mentioned, Ron. It's not just a compliance exercise, and that's not the net objective. Let's prevent and mitigate cyber risk. That's what we all want. I think the wonderful side effects perhaps of the DFS cybersecurity requirements is that it will achieve those multiple objectives. David and I were actually just talking about this, the difference between compliance and security. David, what do you think?

David Finz (08:40):
No, that's absolutely right, and I'm going to introduce another component into that, which is insurability. The goal is to have a secure network to secure your data assets. In doing so, you become a more insurable risk. The DFS regs in no small way are going to inform the types of security controls that underwriters are going to be looking for when a financial institution goes through an insurance renewal. These controls, we're talking administrative, physical, technical tools and controls that they should have in place to mitigate risk, are the things that the underwriters are going to want to see. It positions you as a better risk, which not only in real terms reduces the likelihood and severity of an incident, it also makes you a more attractive risk to the underwriters, which gets you better pricing, better coverage terms.

Ryan Farnsworth (09:31):
It sounds like what we're thinking about is just basic blocking and tackling, right? Sounds easy, but it's not always the easiest way to execute. CJ, what was the technical name of the regulation again that you rattled off earlier?

CJ Dietzman (09:45):
Great point, Ryan, and the requirement is technically referred to as 23 NYCRR Part 500, or just part 500 for short.

Ryan Farnsworth (09:54):
Part 500. As you were rattling it off, it seemed like it was some complex NFL play call or something like that. We talk about the playbook that many teams may implement, maybe make it sound complicated, but in reality sometimes it's just basic blocking and tackling. Whether it's a two-part question, one for you, CJ, and two for David. Given the importance of complying with these regulations and then relaying those things to underwriters, what are some recommendations that you would close with, with our listeners from a compliance perspective, and then David, from an insurance perspective, that people can focus on for the next six months until the next regulations are released?

CJ Dietzman (10:32):
Sure. Ryan, I love the question, and it's an important concept. So first things first, time to revisit the risk assessment, Ryan. Let's take a fresh look organizationally at cyber risk and sensitive non-public information. Let's take a fresh look at our controls and determine whether or not they're sufficient in alignment with the updates to the requirements. First things first, it doesn't need to be hard. You are absolutely correct, Ryan. In fact, leveraging the methodology as discussed in the guidance from DFS, taking that risk-based approach, starting with the risk assessment and aligning with top-down risk-based principles, the organization can then take meaningful action. Candidly, it's been my experience that, again, some evolution, some refinement is necessary, but this won't be, hey, we got to throw away what we did back in 2020 for DFS cybersecurity requirements and start again. No, in fact that couldn't be further from the truth. Take a foundational risk-based approach, start with the risk assessment, and we're helping a lot of clients on that front in that context. David, what do you think?

David Finz (11:40):
I agree wholeheartedly with what you're saying, CJ, that risk assessment enhances an organization's insurability. It makes them a more attractive risk to the underwriters. In terms of the coverage, what people should be aware of is that cyber insurance is a wonderful product. I'm a huge proponent of it, but it doesn't cover everything. The legal fees associated with responding to a regulatory inquiry such as one brought by DFS, no question, that should be covered under a cyber policy. However, fines and penalties are a little more nuanced. The best language available says that those are insurable when permitted by law, and that the jurisdiction most favorable to the insured will govern. Well, there's a little wrinkle in that when you're dealing with DFS, is that they have a track record of inserting language into their consent orders saying that the target of the investigation cannot use insurance proceeds to pay the penalty. So people should be mindful of that going in, in terms of the contours of their coverage, what it does and does not cover, because obviously an insurance carrier is not going to go against the direct guidance of a regulator in terms of whether insurance proceeds can be used to pay that penalty. But again, the very process of seeking cyber insurance, going through the underwriting process, can serve as a gut check for organizations to make sure that they have best practices in place, and our cyber risk consulting team can help them accomplish that.

Ron Borys (13:09):
Yes, and I've seen it firsthand for clients that we've recently acquired over the last 12, 18, 24 months since CJ, you've been here doing your thing and cyber risk engineers coming in and becoming part of the renewal process. The results and the outcomes that we've been able to drive for our clients has been, quite frankly, exceeding expectations, both from our perspective and what we told them before in leading up to them becoming a client, and certainly the things that they expected both in areas of retention amounts, premiums paid, coverage enhancements given. I think the real takeaway here is, for listeners that are not currently using cyber consulting services as part of their cyber insurance strategy, reconsider that approach. It's not incredibly expensive. I can tell you most of our customers who have taken advantage of the services that CJ, your team is responsible for providing, far have received the benefit financially in the form of premium decreases, retention reductions, et cetera, that more than pay for these services. When you think about how we're offering them and bundling them compared to if you were to go out and procure similar services on an a la carte basis, there's definitely value and efficiency there in the way we're offering these products versus how other firms might be doing it.

My takeaway here is, while the focus typically tends to be the insurance transaction and the purchase of insurance, if you can complement that with the folks on the front end doing the consulting work, the cyber risk engineering and all the consultative stuff that goes into cyber, you're going to find that more rewarding way to manage risk in the long run. Again, I think having these practitioners embedded in our infrastructure, in our client service experience has really been a huge differentiator for us. I can't be happier to have two people like you and David to be here with Ryan and I to not only share your thoughts here on our podcast, but also in the trenches working with our customers each and every day. So with that, I think we'll wrap things up. For those who are interested in learning more about our Alliant cyber resources and capabilities both on the consultative side and on the brokerage side, you can contact one of us or look us up on the web at www.Alliant.com. There's tons of information out there. I know CJ, you've put together some materials that we were going to look to also share as a supplement to this podcast. But again, if you're not having the conversation today, we strongly encourage you to reconsider having that conversation. We don't charge you to talk to us, right, CJ? A conversation is free. The ability to learn more about what we're doing is at no cost to you. I think if you're listening today and are not using these services, I think you will find a real difference in a very positive way with regards to how you're managing it on behalf of your company. With that, we'll wrap up today's session of the Financial R&R. Thank you everybody for tuning in and listening. Thank you again, CJ and David, for joining Ryan and I, and we look forward, CJ, to having you back on real soon in the near future.

David Finz (16:11):
Our pleasure.

CJ Dietzman (16:12):
Thank you all. Good day.