New York State Unveils Strict New Cybersecurity Regulations
The governor of New York State has announced sweeping new cybersecurity regulations for the financial service industry, designed to improve resilience to online attacks and keep customer data safe.
Governor Andrew Cuomo finally announced the regulation on Thursday, concluding a process that began back in 2014. It was also delayed by a further couple of months in December after banks complained they needed more time to comply.
The regulation stipulates minimum security standards that financial services firms are obliged to meet, and encourages them to keep pace with technological change.
These include standards for access controls; data protection, including encryption; pen testing; incident response plans; and preservation of data to help with investigations.
It demands a cybersecurity program that “is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”
It also stipulates accountability in organizations by requiring “identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to the Department of Financial Services (DFS).”
Firms also have to notify the DFS of any “material events” and scrutinize security procedures at third party providers – often a weak link when it comes to protecting data and systems from attack.
A DFS poll of 40 banks back in 2015 revealed that only around a third mandate that their partners notify them of any breaches.
“I know that defeating cybercrime requires not only prosecuting it, but taking necessary actions to prevent it,” claimed Manhattan district attorney, Cyrus Vance.
“DFS’s cybersecurity regulation will be a crucial tool in the ongoing battle against cyber-crime and identity theft by mandating that New York’s financial services industries adopt and put in place robust and appropriate controls to detect, thwart and report cyber incidents.”
The regulation will come into force on 1 March.
Source: Information Security Magazine