The New York Department of Financial Services (DFS) Cybersecurity Symposium on March 29, included a presentation entitled “Modernizing Cybersecurity Supervision,” presented by Assistant Deputy Superintendent William Peterson. The presentation outlined new efforts by DFS to revamp its supervision process to address modern cybersecurity challenges and to better evaluate how companies can prepare for and respond to attacks.
Mr. Peterson identified several new tools to provide DFS with a more informative starting point, as well as create a more collaborative environment with covered entities. Security ratings are useful in settings like the DFS evaluations because they measure large pools of data. This data also gives an outside-in viewpoint, which will combine with an inside-out viewpoint collected via a questionnaire process called the Cybersecurity and Information Technology Baseline Risk Questionnaire (CIBRQ). DFS regulated entities will be required to periodically complete the new CIBRQ questionnaire tool.
By combining traditional exam data and incorporating the cyber risk tools such as the CIBRQ, we can have a better understanding of a regulated company’s cybersecurity posture, enabling us to make better informed supervisory and policy-making decisions.
He also stated that ratings help organizations remove blind spots, monitor and prioritize vulnerabilities, and better understand third-party supply chain risks. Mr. Peterson also identified these scoring factors as part of the DFS evaluations:
Network Security
Application Security
DNS Health
Hacker Chatter
Patching Cadence
Information Leaks
IP Reputation
Social Engineering
DFS expects to begin using the CIBRQ in 2023, and will use it to guide supervision activities and identify risks and trends across a sector. Examiners will use CIBRQ to assess 11 unique aspects of cybersecurity based on the NIST cybersecurity framework.