New York Imposes New Cybersecurity Regulations featured image

New York Imposes New Cybersecurity Regulations

by John DiGiacomo

Partner

Data Breach

Effective January 1, 2017, banks, financial institutions, and insurance companies in New York will be required to comply with new cybersecurity regulations. The New York cybersecurity regulations are closely aligned with the Center of Internet Safety’s 20 CIS Controls. The CIS controls are the industry standard when it comes to cybersecurity and threat prevention. New York, being the home of Wall Street and many financial services providers, took the initiative to impose cybersecurity best practices on the industry that so many Americans depend on, as the number of cybersecurity data breaches affecting business and financial service providers has been increasing. We’ve written extensively on this blog about the increase in data breaches and third-party data risks.

Key Provisions of the New York Cybersecurity Regulations

A few of the provisions that are particularly important include:

  • Financial Service Providers Must Develop Cybersecurity Programs and Policies. All financial service providers that the new regulations apply to will be required to develop and implement a cybersecurity program, under Section 500.02 of the new regulations, and policy, under Section 500.03 of the new regulations, within 180 days of the regulations taking effect. The cybersecurity program is meant to ensure that the information systems of covered financial services providers is available, confidential, and resistant to attack. The cybersecurity policy is meant to provide the financial services providers with a framework on handling cybersecurity issues and risk prevention.
  • Appoint a Dedicated Chief Information Officer. Financial services providers under Section 500.04 of the new regulations must appoint a dedicated Chief Information Security Officer who is tasked with overseeing and implementing the company’s cybersecurity policies and programs.
  • Hire Dedicated Cybersecurity Personnel and Intelligence. Covered financial services providers must hire dedicated cybersecurity personnel tasked with managing the company’s cybersecurity programs. These dedicated employees must receive regular cybersecurity training, and must stay up to date on the ever-changing landscape of cyber security.
  • Systems Will Be Subjected to Penetration Testing, Vulnerability Assessments, and Risk Assessments. Covered entities’ information systems will be subjected to regular penetration testing (at least once annually), vulnerability assessments (at least quarterly) and cybersecurity risk assessments (at least once annually).
  • Implementation of Multi-Factor Authentication. Covered entities must implement systems that utilize multi-factor authentication for gaining access to secure information systems.
  • Financial Services Providers Must Maintain an Audit Trail. Covered entities must develop and implement an audit trail system that tracks and maintains data that makes it possible for the company to complete a reconstruction of a breach or attack on their systems. The system must log authorized user access to the system and protect against hacking, tampering or interference with the system.
  • Policies for Third Parties With Access to Covered Entities’ Systems. In situations where third parties have access to a covered entity’s information systems, the covered entity are required to develop policies that govern the third parties’ access to the system. Covered entities must hold third parties accountable for complying with the company’s cybersecurity policies.

Contact a Data Breach Attorney

The New York cybersecurity regulations for financial services providers is just one recent example of how the area of cybersecurity is constantly changing. Revision Legal consistently stays at the forefront of this change and can help you and your business with compliance and notification laws. Revision Legal works with entities in all fifty states to handle a wide array of cybersecurity issues. Contact the experienced data breach attorneys at Revision Legal using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user julio lima.

 

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case