Jump to content

NY state financial cybersecurity rule taking effect in March


steven36

Recommended Posts

A New York state regulation intended to protect the financial services industry and its consumers from cyberattacks is taking effect in March.

 

original-b2167c10f72949deca8fd231c571138

 

Gov. Andrew Cuomo (D) announced the regulation on Thursday, describing it as the first of its kind in the nation. The rule will require banks, insurance companies, and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data and secure the financial services industry.

 

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” Cuomo said in a statement on Thursday. 

 

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes,” the governor added. 

 

The rule will take effect on March 1, 2017. The state submitted an initial proposal for comment in September and updated it in December to receive further input.

 

“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks,” Maria Vullo, superintendent of the state’s financial services department, said.

 

The regulation puts in place controls to ensure financial firms maintain a “robust cybersecurity program” to protect consumers’ personal data, according to the governor’s office. It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.

 

By Morgan Chalfant

http://thehill.com/policy/cybersecurity/319959-new-york-state-to-adopt-new-cybersecurity-regulation-for-financial

 

Link to comment
Share on other sites


  • Replies 2
  • Views 481
  • Created
  • Last Reply

Another law that can't be enforced.  Why do politicians always think the solution to a problem is another law that doesn't stand a chance in hell of being enforced.  If you want to stop cyber attacks then you remove the systems from the internet and setup private networks.  It would be a simple matter, for example, to use existing data lines to setup a private network between banking systems so criminals could not get into the systems and transfer money or access accounts.  Likewise, access by users to their accounts could be separated from the rest of the bank infrastructure so if an account was hacked there would be no chance of using it to access anywhere else in the bank.  Systems similar to this have been used in law enforcement agencies for years for the NCIC (National Crime Information Center) System.  You could call it a closed network but it runs over current data cables thru normal ISPs, the system just prevents any PC from accessing the system unless it meets certain configurations and settings, so even if you hooked a computer into the network it would not be able to access any information or communicate with other computers on the system.

Link to comment
Share on other sites


 

Quote

 

Reworked N.Y. Cybersecurity Regulation Takes Effect in March

 

New York's controversial new cybersecurity regulation will come into effect March 1, imposing new rules on the banking and insurance sectors with the aim of better protecting institutions and consumers against cyberattacks.

 

The regulation, believed to be the first of its kind adopted by a U.S. state, highlights continuing frustration over data breaches and concern about whether private industry is moving fast enough to erect defenses against hacking.

 

"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks," says New York Governor Andrew M. Cuomo.

 

The regulation includes requirements that financial and insurance institutions retain a CISO, report cybersecurity incidents within 72 hours and use multifactor authentication.

After input from private industry, the state eased off some of its more prescriptive proposals, such as a sweeping definition of what constitutes non-public information and specific requirements for technology vendors (see Critics Blast New York's Proposed Cybersecurity Regulation).

 

But the regulation will still be challenging for some organizations to implement, says Luke Dembosky, a partner with the Washington-based law firm Debevoise & Plimpton.

"It's one of the most comprehensive cybersecurity regulations in the financial sector," says Dembosky, who is a former cybercrime prosecutor with the U.S. Justice Department.

What Has to Be Done

Many of the requirements in the new New York regulation are steps that larger financial institutions have likely already taken.

For example, organizations must develop a cybersecurity program, including a written policy that addresses aspects such as access controls, business continuity, asset inventory and data governance. The CISO must send a report at least annually to the organization's board of directors, the new regulation states.

 

The cybersecurity program must include a periodic risk assessment plus annual penetration tests. Encryption must be used for data in transit and at rest, the new regulation states. Organizations also must develop a written incident response plan.

By Feb. 15 every year, organizations must submit a statement to New York's Superintendent of Financial Services that certifies compliance.

Although the regulation takes effect March 1, organizations have 180 days to comply. Other built-in grace periods give organizations up to two years to come into compliance with some provisions. And smaller organizations can apply for exemptions.

Regulation Raises Concerns

The American Banker's Association says that while the regulation takes a risk-based approach, which it supported, it will add a significant burden to banks. The group is also concerned that institutions haven't been given enough time to make changes.

"In addition, the rules could come in conflict with existing federal regulations, and may not provide enough flexibility to address the constantly evolving nature of cyber threats," according to a blog post in the ABA's Banking Journal.

 

It's possible that other states may look to New York to develop their own regulations, Dembosky says. But the risk is that organizations will focus too much on ticking boxes for compliance, he contends.

"No one wants the goal to be compliance for compliance's sake," he says. "The more alignment there is and consistency among regulatory frameworks, the better it will be. You don't want to devote all of your resources just trying to be compliant. You want to have in place the best practices to make the organization more secure."

 

By Jeremy Kirk

http://www.bankinfosecurity.com/reworked-ny-cybersecurity-regulation-takes-effect-in-march-a-9733

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...