The state of New York has unveiled recommendations regarding cyber security regulations. They are directed at any company within the state that is governed by the Department of Financial Services – banks, insurance companies, and other financial services institutions. Andrew Cuomo, the governor of the state, said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.” The governor went on to say, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
What Does This Mean?
Each Covered Entity shall establish and maintain a cyber security program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems. This includes each company must designate a qualified Chief Information Security Officer and must establish a cyber security policy that meets minimum standards.
These policy standards address things such as:
- Information Security
- Systems and Network Security & Monitoring
- Data Governance
- Customer Data Privacy
- Risk Assessment
- Incident Response
- Access Controls and Identity Management
Just to name a few of the most important. The program must also include, activities that companies should already be doing, such as;
- Annual penetration testing and risk assessments
- Quarterly vulnerability assessments
- An audit trail of activity
- Access privileges for non-public information
- Employ qualified cyber security personnel and provide ongoing training
- Deploy multi-factor authentication and encryption standards
- Establish data retention timelines
- Develop an incident response plan
- Provide notifications to the department for any event that will materially affect it’s normal operations
How To Begin?
The new cyber security regulations are detailed, wide reaching and inclusive of many aspects of security. The best approach is to start with an experienced Chief Information Security Officer, develop a cyber security program and policy and deploy both company-wide. That is most likely the easy part – the more difficult part will be the required monitoring, assessments and follow up to insure progress and prevent information compromise and loss. However, with the right technology partner and staff, your job in adhering to the new cyber security regulations will be much easier.
Companies Must Act Now
Banks, insurance companies and other financial services companies under the regulations of the NYDFS must act now, as this is likely the new law of the land beginning in 2017. The new cyber security regulations are subject to a 45-day notice period and public comment, but it’s proposed to begin January 1, 2017 with a transitional period of 180 days from its inception.
All companies, whether in financial services or not, in New York or not - must take action now. Malicious actors want your information to sell it, hold it ransom, or make it public to harm the owner. Protect your systems, data, employees and customers before the cyber security regulations make you do so – it’s the right thing to do.