NY Department of Financial Services Cybersecurity Regulations

Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions.  The regulations would require covered entities to

  • Maintain written internal cybersecurity policies and procedures;
  • Maintain policies and procedures to ensure the security of data held by third party providers;
  • Adopt multi-factor authentication for some resources;
  • Designate a CISO responsible for the institution’s cybersecurity program;
  • Adopt procedures and guidelines to ensure the security of applications used by the entity;
  • Employ personnel adequate to manage the entity’s cyber risks;
  • Conduct annual penetration testing and quarterly vulnerability assessments;
  • Maintain an audit trail system; and
  • Notify the Department of cyber incidents.

While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance.  The requirement to employ certain kinds of personnel, in particular, will be controversial.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xcDNYbXZpSHYzZG8/preview?usp=drivesdk” title=”nybankrules.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Leave a comment

Your email address will not be published. Required fields are marked *