On the heels of a recent change in cybersecurity safeguards required by the CFTC, New York State’s Governor Cuomo has announced a first-in-the-nation proposal for new cybersecurity regulations to protect New York State residents and businesses from the ever-evolving threat of cyberattacks.
This new regulation requires financial services institutions like banks and insurance companies—and all those regulated by State Department of Financial Services—to establish and maintain a cybersecurity plan designed to safeguard consumers and the financial services industry as a whole.
According to Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises. This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
The proposed regulation is pending a 45-day notice alongside a public comment period before it can be finalized, and it requires regulated financial institutions to:
- Adopt a written cybersecurity plan and policy
- Establish a comprehensive cybersecurity program
- Designate a Chief Information Security Officer to be responsible for the implementation and oversight of enforcing the institution’s new program and policy
- Create policies and procedures to ensure the safeguarding and security of non-public information and information systems that may be accessible by third parties—including extensive requirements to protect the confidentiality, integrity, and availability of IT systems.
The Department of Financial Services’ regulation requires eligible businesses to meet certain regulatory minimum standards—but it maintains a certain level of flexibility so that the final rule won’t stifle industry innovation. The ultimate goal of the regulation—in addition to the protection of consumers and the financial industry itself—is to encourage financial firms to diligently keep pace with innovations and advances in technology that can help them secure their consumer data.
Maria T. Vullo, New York State Department of Financial Services Superintendent said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”
Before proposing the regulation, the Department of Financial Services (DFS) surveyed approximately 200 regulated financial institutions to ascertain the industry’s grasp on efforts to prevent cybercrime. In addition, DFS collaborated with cybersecurity experts and a select number of all businesses surveyed to discuss emerging risks, trends, and due diligence to ultimately determine and report on the best practices, policies, and procedures that will govern relationships with third party vendors.
Proposed Cybersecurity Requirements for Financial Services Companies
Regulated financial institutions will be required to implement a cybersecurity program that ensures the integrity, confidentiality, and availability of IT systems to perform the following functions:
- Identify potential cybersecurity risks and vulnerabilities.
- Prevent unauthorized access and malicious activities with the implementation of effective policies and procedures.
- Detect cybersecurity events and threats using available third-party providers and technologies.
- Respond to cybersecurity events and threats to mitigate any potential incidents or data breaches.
- Recover from cybersecurity incidents, protect consumer information and restore normal operations and services as quickly as possible.
With cybersecurity threats and compliance requirements evolving and advancing on a daily basis, financial firms that deal with protected or sensitive consumer information should consider a comprehensive, advanced threat protection approach to their IT security framework. If you’d like more information on safeguarding your business from cybersecurity threats, contact Intrinium for an IT cybersecurity and advanced threat assessment.