Effective January 1, 2017, banks, financial institutions, and insurance companies in New York will be required to comply with new cybersecurity regulations. The New York cybersecurity regulations are closely aligned with the Center of Internet Safety’s 20 CIS Controls. The CIS controls are the industry standard when it comes to cybersecurity and threat prevention. New York, being the home of Wall Street and many financial services providers, took the initiative to impose cybersecurity best practices on the industry that so many Americans depend on, as the number of cybersecurity data breaches affecting business and financial service providers has been increasing. We’ve written extensively on this blog about the increase in data breaches and third-party data risks.
Key Provisions of the New York Cybersecurity Regulations
A few of the provisions that are particularly important include:
- Financial Service Providers Must Develop Cybersecurity Programs and Policies. All financial service providers that the new regulations apply to will be required to develop and implement a cybersecurity program, under Section 500.02 of the new regulations, and policy, under Section 500.03 of the new regulations, within 180 days of the regulations taking effect. The cybersecurity program is meant to ensure that the information systems of covered financial services providers is available, confidential, and resistant to attack. The cybersecurity policy is meant to provide the financial services providers with a framework on handling cybersecurity issues and risk prevention.
- Appoint a Dedicated Chief Information Officer. Financial services providers under Section 500.04 of the new regulations must appoint a dedicated Chief Information Security Officer who is tasked with overseeing and implementing the company’s cybersecurity policies and programs.
- Hire Dedicated Cybersecurity Personnel and Intelligence. Covered financial services providers must hire dedicated cybersecurity personnel tasked with managing the company’s cybersecurity programs. These dedicated employees must receive regular cybersecurity training, and must stay up to date on the ever-changing landscape of cyber security.
- Systems Will Be Subjected to Penetration Testing, Vulnerability Assessments, and Risk Assessments. Covered entities’ information systems will be subjected to regular penetration testing (at least once annually), vulnerability assessments (at least quarterly) and cybersecurity risk assessments (at least once annually).
- Implementation of Multi-Factor Authentication. Covered entities must implement systems that utilize multi-factor authentication for gaining access to secure information systems.
- Financial Services Providers Must Maintain an Audit Trail. Covered entities must develop and implement an audit trail system that tracks and maintains data that makes it possible for the company to complete a reconstruction of a breach or attack on their systems. The system must log authorized user access to the system and protect against hacking, tampering or interference with the system.
- Policies for Third Parties With Access to Covered Entities’ Systems. In situations where third parties have access to a covered entity’s information systems, the covered entity are required to develop policies that govern the third parties’ access to the system. Covered entities must hold third parties accountable for complying with the company’s cybersecurity policies.
Contact a Data Breach Attorney
The New York cybersecurity regulations for financial services providers is just one recent example of how the area of cybersecurity is constantly changing. Revision Legal consistently stays at the forefront of this change and can help you and your business with compliance and notification laws. Revision Legal works with entities in all fifty states to handle a wide array of cybersecurity issues. Contact the experienced data breach attorneys at Revision Legal using the form on this page or call us at 855-473-8474.
Photo credit to Flickr user julio lima.