Did you know that new cybersecurity requirements designed to protect the Financial Services industry and their consumers go into effect on March 1? The first of its kind law requires banks, insurance companies, and other Financial Services providers that are regulated by the New York Department of Financial Services (NYDFS) to implement cybersecurity programs that meet minimal security standards. The rules require unprecedented requirements these companies must take to protect their networks and customer data from data loss and disclose cyber events to state regulators.
Adopting industry best practices, the regulations mandate such things as:
- Properly funded cybersecurity programs;
- Trained and qualified staff;
- Standards that measure an organization’s current risk posture and deficiencies;
- Remediation plans;
- Data protection encryption requirements;
- Continuous and ongoing monitoring and risk assessment;
- Documented incident response and notification strategy; and
- Annual certifications of the regulatory compliance to the NYDFS requirements.
The regulation defined “covered entities” as those organizations that operate under a license or charter regulated by New York banking, insurance for Financial Services law. Exemptions apply for companies with less than 10 employees, gross revenue under five million from their New York operations or less than ten million in total assets, as well as, National Banks, Federal credit unions, and broker dealers
A regulated entity must develop it cyber security program based on its specific risk assessment when designing its policies, infrastructure, detection, response and notification capabilities. Interestingly, the new regulations require regulated companies to assess their third party suppliers and report breaches emanating from those organizations. Third-party vendors have increasingly become the weak link in the security chain. According to a Soha Systems Security survey, 63 percent of all data breaches can be attributed to a third-party vendor.
Companies must become compliant within 180 days. The regulation does provide additional time to comply with some of its requirements (i.e., Penetration testing, risk assessment, data encryption and third-party compliance programs.