NY Cybersecurity Regulations Change Training Requirements
The New York State Department of Financial Services (DFS) amended its proposed cybersecurity regulations on December 28, 2016, which changed the cybersecurity training requirements, delayed the effective date of the data security regulations, and loosened up strict obligations. This post covers how the training mandate has changed and whether those changes matter to compliance programs.
Under both the previous and new versions of the proposed data security regulation, anyone registered with the DFS, like many financial institutions operating in New York, must provide “regular cybersecurity awareness training” to all personnel and more specialized training to “qualified cybersecurity personnel.” The general training requirement is still there.
In the previous version, qualified cybersecurity personnel had to attend regular cybersecurity updates and training sessions, period. In the new version, these specialized personnel only need to take training and receive updates as needed to address relevant cybersecurity risks identified by the institution. The individual risk approach reflects the main thrust of the amendments – to make the regulation more flexible to accommodate different institution sizes and risk profiles.
For both types of training, the previous version required financial institutions to provide training and also require personnel to take it. The new version only requires an institution to provide training to personnel; they don’t require anyone to actually take it. Apparently, the DFS thought this approach would make training and monitoring “more risk-based,” according to the DFS Assessment of Public Comments.
It would be a mistake for financial institutions to interpret this change literally. Such an interpretation would reflect a major compliance problem of providing “check-the-box” training that meets regulatory obligations, but doesn’t change anything internally for the better. What’s the point of training if no one is going to take it?
Instead, financial institutions should understand the importance of developing an effective ethics and compliance program, of which training is a necessary component. Conduct training, at a minimum, needs to reflect case-based learning and inclusive instructional design. If done right, training helps develop a culture of compliance, which regulators like the US Department of Justice, the US Securities and Exchange Commission, and FINRA expect to see in financial institutions across the nation. To learn more about cybersecurity training in particular, download this white paper on Data Security Training for Employees: Investing in the Human Firewall.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.