NY Department of Financial Services Cybersecurity Regulations

Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions.  The regulations would require covered entities to

  • Maintain written internal cybersecurity policies and procedures;
  • Maintain policies and procedures to ensure the security of data held by third party providers;
  • Adopt multi-factor authentication for some resources;
  • Designate a CISO responsible for the institution’s cybersecurity program;
  • Adopt procedures and guidelines to ensure the security of applications used by the entity;
  • Employ personnel adequate to manage the entity’s cyber risks;
  • Conduct annual penetration testing and quarterly vulnerability assessments;
  • Maintain an audit trail system; and
  • Notify the Department of cyber incidents.

While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance.  The requirement to employ certain kinds of personnel, in particular, will be controversial.

Leave a Reply

Your email address will not be published. Required fields are marked *