NY Cybersecurity Regulations Change Training Requirements 22:46, January 23, 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

NY Cybersecurity Regulations Change Training Requirements

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

The New York State Department of Financial Services (DFS) amended its proposed cybersecurity regulations on December 28, 2016, which changed the cybersecurity training requirements, delayed the effective date of the data security regulations, and loosened up strict obligations. This post covers how the training mandate has changed and whether those changes matter to compliance programs.

Under both the previous and new versions of the proposed data security regulation, anyone registered with the DFS, like many financial institutions operating in New York, must provide “regular cybersecurity awareness training” to all personnel and more specialized training to “qualified cybersecurity personnel.” The general training requirement is still there.

In the previous version, qualified cybersecurity personnel had to attend regular cybersecurity updates and training sessions, period. In the new version, these specialized personnel only need to take training and receive updates as needed to address relevant cybersecurity risks identified by the institution. The individual risk approach reflects the main thrust of the amendments – to make the regulation more flexible to accommodate different institution sizes and risk profiles.

For both types of training, the previous version required financial institutions to provide training and also require personnel to take it. The new version only requires an institution to provide training to personnel; they don’t require anyone to actually take it. Apparently, the DFS thought this approach would make training and monitoring “more risk-based,” according to the DFS Assessment of Public Comments.

It would be a mistake for financial institutions to interpret this change literally. Such an interpretation would reflect a major compliance problem of providing “check-the-box” training that meets regulatory obligations, but doesn’t change anything internally for the better. What’s the point of training if no one is going to take it?

Instead, financial institutions should understand the importance of developing an effective ethics and compliance program, of which training is a necessary component. Conduct training, at a minimum, needs to reflect case-based learning and inclusive instructional design. If done right, training helps develop a culture of compliance, which regulators like the US Department of Justice, the US Securities and Exchange Commission, and FINRA expect to see in financial institutions across the nation. To learn more about cybersecurity training in particular, download this white paper on Data Security Training for Employees: Investing in the Human Firewall.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

You might also be interested in...

  • New York Cybersecurity Regulation Basics, Final ChangesMarch 1, 2017 New York Cybersecurity Regulation Basics, Final Changes After some delay, the New York State Department of Financial Services (DFS) released final cybersecurity requirements for financial services companies. This post will describe what has changed between the final version and the previous proposed version, and generally highlight what the […] Posted in data security
  • New York Cybersecurity Regulations Delayed, But ComingDecember 23, 2016 New York Cybersecurity Regulations Delayed, But Coming The New York State Department of Financial Services (DFS) proposed Cybersecurity Requirements for Financial Services Companies earlier this year, with an expected January 1, 2017 effective date. The effective date of the cybersecurity regulations has unofficially changed to March 1, […] Posted in data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper

 

Compliance Course Catalog
  |   Download Catalog