Will New York Reshape the Financial Regulatory Landscape?
A New York state regulation, which takes effect March 1, requires financial institutions to provide minimum cybersecurity standards and report breaches to regulators in an effort to limit consumer losses.
New York’s Department of Financial Services regulates numerous financial entities including credit unions, banks, trusts, budget planners, check cashers, money transmitters, licensed lenders, and mortgage brokers.
The DFS does not have jurisdiction over broker-dealers and registered investment advisors.
New York Governor Andrew Cuomo described the regulation in a statement as the first of its kind in the nation.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyberattacks.”
Cuomo also stated these protections help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by devastating cybercrimes.
The new rules require written policies and procedures, risk assessments, monitoring and testing, audit trails, access controls, application security, third-party service provider cybersecurity standards, encryption, data retention, specific hiring and training practices, incident response planning, notification to the DFS regarding cybersecurity events, and annual compliance certifications.
A covered entity must also designate a chief information security officer to oversee and implement its cybersecurity program, policies, and procedures.
The revised rule gives financial service organizations at least a year-and-a-half to comply with the requirements.
Ben Carr, technical director of Americas at Tenable, a Columbia, Md.-based cybersecurity company provided some perspective on the new regulations from cybersecurity expert’s viewpoint.
“New York State’s new cybersecurity regulation is a step in the right direction, and it will certainly not be the last state to implement mandates to address this area. One of the most positive requirements is for a designated CISO. With the increased cyberattacks and data breaches targeting the financial industry, it’s hard to believe that some companies still have not established a CISO role.”
Carr did add, it is concerning that some of the requirements fail to meet standard security best practices.
“For instance, financial institutions are now required to assess systems for vulnerabilities on a biannual basis, but this doesn’t even meet the benchmark set by the Payment Card Industry Data Security Standard, which is considered the low bar for vulnerability assessment by many in the cybersecurity industry.”
The new regulation also calls for the notification to the superintendent of all cybersecurity events.
“I am not sure that the superintendent is prepared for the volume of data about to come his or her way, and when he receives it what action will he take?” Carr maintained.
Overall, the Tenable technical director views cybersecurity regulation as a positive step for the industry, but believes it’s important they offer realistic and tailored approaches for organizations of all sizes.
“All too often, smaller organizations find it difficult, if not impossible, to comply with resource-intensive requirements, while large organizations use these regulations as a justification to do no more than the bare minimum to meet the requirements. Instead of a one-size-fits-all strategy, I would have liked to see a tiered approach that accurately deals with the increased risk as company size increases.”
A comprehensive cybersecurity program’s foundation, Carr suggested, needs to address risk in an efficient and effective manner, not one designed to meet a regulatory requirement.
Read more about New York's new cybersecurity rules and the impact on credit unions in the March 1, 2017 print issue of CU Times.