Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions. The regulations would require covered entities to
- Maintain written internal cybersecurity policies and procedures;
- Maintain policies and procedures to ensure the security of data held by third party providers;
- Adopt multi-factor authentication for some resources;
- Designate a CISO responsible for the institution’s cybersecurity program;
- Adopt procedures and guidelines to ensure the security of applications used by the entity;
- Employ personnel adequate to manage the entity’s cyber risks;
- Conduct annual penetration testing and quarterly vulnerability assessments;
- Maintain an audit trail system; and
- Notify the Department of cyber incidents.
While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance. The requirement to employ certain kinds of personnel, in particular, will be controversial.