New cybersecurity regulations for financial institutions needed, says NYDFS
Barely a week goes by nowadays without a new high profile data breach hitting the headlines. While efforts have undoubtedly been stepped up with regard to cyber security – by both covered entities and industry regulators – evidently there is still much work to be done.
Last week, New York’s leading banking regulator – the New York Financial Department of Services (NYDFS) – unveiled details around its potential new cybersecurity regulations, aimed at improving cybersecurity standards within the insurance companies and banks which fall under its jurisdiction.
The details of the proposed regulations, which were sent in a letter to other state and federal regulators, included the most comprehensive information about the planned regulations to date.
Anthony Albanese, acting NYDFS superintendent, wrote, “It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions”.
Following recent cybersecurity reports and risk assessments undertaken by the NYDFS, as well as broader discussions with regulated entities, cyber security experts and other stakeholders, the following conclusions were noted in the letter:
- While advancements have been made by companies with regard to cybersecurity, programs must remain dynamic in order to keep pace with the fast changing landscape.
- Even if a company has a robust in-house cybersecurity system, if there are any weaknesses in third-party systems which have access to sensitive data, those systems will be ineffective.
- The severity of recent data breaches and incidents demonstrate that cybersecurity is a global concern that affects every industry at all levels.
Proposed cybersecurity regulations
Proposed regulations put forward by the NYDFS would require covered entities to perform cybersecurity functions in the following seven key areas.
- Cybersecurity policies and procedures Covered entities would be required to provide written policies and procedures that address 12 key areas, including information security, data governance & classification, and incident response, among others.
- Third-party service provider management Covered entities would be required to implement and maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party service providers.
- Multi-factor authentication Covered entities should address the use of multi-factor authentication for any systems that display confidential information.
- Chief Information Security Officer Covered entities would be required to employ or designate a qualified Chief Information Security Officer (CISO).
- Application security Covered entities would be required to employ personnel adequate to manage the entity’s cybersecurity risks and perform the core cyber security functions; identify, protect, detect, respond and recover. The entity would also be required to provide mandatory cybersecurity training for all key personnel.
- Audit Covered entities would be required to undertake annual cyber security audits, as well as maintain a four-part audit trail system.
- Notice of Cyber Security Incidents Covered entities would be required to immediately notify the Department of any cybersecurity incident that has a reasonable likelihood of materially affecting the normal operation of the entity.