Around this time a year ago, I was engaging the New York Department of Financial Services on its then-recently released Cybersecurity Requirements for Financial Services Companies.
The rules were the first of their kind in the nation and they had been launched in September 2016 to take effect in March this year.
More recently I found myself in a similar situation with regulators in Kenya. This time I was talking to the Central Bank of Kenya (CBK) regarding its August 2017 Guidance Note on Cybersecurity. In the heat of Kenya’s landmark political season, the CBK released game-changing cybersecurity rules that put the country at par with Wall Street.
The two sets of regulations, in Kenya and New York, have several similarities but they also have significant divergences.
Both regimes have a three-pronged approach to governance of cybersecurity compliance by holding board of directors and senior management directly responsible and introducing the role of the Chief Information Security Officer (CISO).
Because corporate governance of cybersecurity tends to be IT-centered, the inclusion of the board and senior management is likely to strengthen cybersecurity governance by promoting a more holistic approach to managing cyber risk.
The Guidance Note goes further than the New York regulations by enumerating the responsibilities of the board and senior management.
Specifically, the CBK note gives a bank’s board the specific mandate to understand the nature of cyber threats and maintain robust oversight and engagement on cyber risk matters.
The board is expected to approve and continuously review the cybersecurity strategy, governance charter, policy and framework. Moreover, the board is required to allocate adequate cybersecurity budget and ensure that the cybersecurity policy applies to “all of the bank’s operating entities, including subsidiaries, joint ventures and geographic regions.”
Senior management employees are responsible for implementing the board-approved cybersecurity strategy, policy and framework, and providing regular reports of the bank’s cybersecurity state to the board.
They are obligated to continuously improve collection, analysis and reporting of cybercrime information, and to collaborate with “other institutions and the security agencies to share the latest cyber threats/attacks encountered by the institution.”
In addition, they are expected to provide sufficient skilled staff for the management of cybersecurity, establish a board-approved cybersecurity benchmarking framework, and oversee analysis and management of third party risks.
The Guidance Note introduces the CISO as part of the senior management team, with the role of overseeing and implementing a bank’s cybersecurity programme and enforcing cybersecurity policy.
Moreover, the CISO is to design cybersecurity controls that take into account internal and external user levels, and ensure sufficient mechanisms to monitor “IT systems to detect cybersecurity events and incidents in a timely manner.”
Other more specific responsibilities of the CISO include staff training, overseeing comprehensive cyber risk assessments, and maintaining incident response mechanisms and Business Continuity Plans. Among other things, the CISO is to report to the CEO not less than once per quarter on the assessment of information systems used by the bank.
The New York regulation similarly requires that the CISO be responsible for overseeing and implementing the cybersecurity programme and enforcing cybersecurity policy.
In addition, the CISO of New York-based financial institutions has to appoint senior personnel to manage third party service providers and provide at least an annual report to the board of directors.
The report covers the company’s cybersecurity programme and cybersecurity risks that take into account the confidentiality of certain defined nonpublic information, the integrity and security of information systems, and “material Cybersecurity Events” among other things.
The two regulations differ in scope of application with the Guidance Note covering banks while while the New York regulations apply to banks, insurance companies and other financial institutions.
The covered entities in both cases include foreign entities domiciled in the respective jurisdictions. Unlike the Kenyan requirements, the New York rules do provide limited exemptions to compliance: entities with less than 10 employees, $5M in gross annual revenue and $10M in year-end total assets.
Whereas the Guidance Note calls for reporting of cybersecurity events within 24 hours to the CBK, New York requires that the Superintendent of Financial Services be notified no later than 72 hours after a cybersecurity event is determined to have occurred.
This difference is significant and places Kenya-based banks under greater scrutiny to have robust incident discovery, assessment and management mechanisms that account for internal and external risks.
It is worth noting that New York’s 72-hour timeline is in step with the European Union’s breach notification period under the General Data Protection Regulation–one of the most rigorous data protection regimes.
The outstanding question in both frameworks is the (absence of) enforcement mechanisms.
Okwara specialises in cybersecurity, data protection and privacy and defence.