New York Hits First Financial Security Regulation Deadline
New York state’s mandatory cybersecurity requirements for financial institutions reached a significant deadline, August 28, whereby covered entities must create a written security policy and appoint a chief information security officer.
The August date marks the end of a 180-day transitional period for the New York State Department of Financial Services cybersecurity regulations, which went into effect on March 1, 2017, required financial institutions to provide minimum cybersecurity standards and report breaches to regulators to limit consumer losses. Covered entities must also limit access privileges to nonpublic data, periodically assess the process, and implement procedures to inform the state regulator within 72 hours of cybersecurity or data security incidents.
New York’s Department of Financial Services regulates numerous financial entities including credit unions, banks, trusts, budget planners, check cashers, money transmitters, licensed lenders, and mortgage brokers. The NYDFS does not have jurisdiction over broker-dealers and registered investment advisors.
The new rules, known as Section 500 or 23 NYCRR 500, applies to financial services companies licensed by New York, but not to nationally chartered institutions. Because this is the first regulator issuing cybersecurity guidelines, it is perhaps a harbinger for other state or national regulators.
The regulations require written policies and procedures, risk assessments, monitoring and testing, audit trails, access controls, application security, third-party service provider cybersecurity standards, encryption, data retention, specific hiring and training practices, incident response planning, notification to the DFS regarding cybersecurity events, and annual compliance certifications.
The first deadline for compliance under the regulations included formation of a written cybersecurity policy and designation of a CISO to oversee and implement its cybersecurity program, policies, and procedures.
Istvan Molnar, compliance specialist at privileged access management firm Balabit, said, “New York State’s Department of Financial Services will require covered entities to comply with the first transitional phase of its cybersecurity standards. Where do these organizations begin?”
He added, one of the first changes entities must tackle is access privileges (section 500.07 within the guidance) – specifically, limiting access privileges to sensitive data and systems. “This requires periodic audit reviews of user access.”
Molnar noted the regulation does not mention a specific system to put in place, but having a privileged access management system to assist with this need will be critical.
However, baseline privileged access management may not be enough. “A more proactive approach would be to mandate close monitoring and analysis of suppliers’ activities in real-time with more automated tools. Consistent monitoring of users’ behavioral biometrics, such as keyboard characteristics or mouse movements would shorten breach and threat discovery, enabling institutions to avert or minimize breach impacts,” Molnar explained.
New York Governor Andrew Cuomo described the regulation in a statement as the first of its kind in the nation. “New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyberattacks.”
Cuomo also stated these protections help ensure this industry has the necessary safeguards in place to protect themselves and the New Yorkers they serve from the serious economic harm caused by devastating cybercrimes.