14 July 2017
Blogs by author: Janet Himmelreich, Head of Security, Risk and Compliance Centre of Excellence, BT.
Cyber security regulations affecting financial services companies licensed in New York State have come into effect — are you going to be ready for compliance by the 28th August of this year?
WannaCry is the latest cyber-attack to capture the public’s attention. But many others over the last year have threatened both operations and the safety of people’s data. The financial services industry, in particular, has been, and still is, a prime target.
Stealing financial identities is always going to be very appealing to those who carry out malicious attacks. And that’s why the New York State Department of Financial Services (NYSDFS) has introduced a new law, ‘23 NYCRR 500 “Cybersecurity Requirements for Financial Services Companies” to make sure financial services organizations* licensed to operate in the state of New York have cyber security that’s proven to keep systems and data safe.
Requirements in this new law are all based around the size and risk profile of each covered entity, with the goal of protecting not only that entity’s solvency, but also the customers of the regulated businesses.
And you may not even be aware. As the law came into effect with little fanfare on the 1st March 2017. It requires compliance by 28th August 2017 — with certification to the Superintendent of the NYSDFS due by 15th February of each year. This means 15th February, 2018 is the first date for certification.
13 steps to successful compliance
The following steps should be taken to ensure your cyber security program can minimize the risk of attack, respond if an attack occurs and be compliant with these new regulations.
1. Perform a risk assessment, resulting in a plan to ensure compliance to the cyber security regulations.
2. Create and maintain a cyber security program.
3. Write cyber security policies.
4. Designate a CISO who’s responsible for overseeing and implementing the cyber security program and enforcing the cyber security policies.
5. Conduct penetration testing and vulnerability assessments of information systems.
6. Implement multi-factor authentication.
7. Mandate data retention limits.
8. Implement training and monitoring.
9. Encrypt all Non Public Information (NPI)
10. Write procedures to ensure the use of secure development practices.
11. Develop incident response plans.
12. Provide notice of an incident to the NYSDFS superintendent.
13. Certify annually, by 15th of February of each year.
Following this, you also need to ensure minimum cyber security practices are met by third-party vendors and are assessed annually, at least.
Later this month I will delve into more detail about how to make sure your policy is effective and more importantly, compliant.
*entities covered: state-chartered banks and trust companies; insurance companies; insurance producers; insurance adjusters; bail bond agents; service contracts; life settlements; budget planners; charitable foundations; check cashers; credit unions; investment companies; licensed lenders; money transmitters; mortgage bankers; mortgage brokers; mortgage loan servicers; premium finance agencies; private bankers; safe deposit companies; sales finance companies; savings banks; and savings and loans.