New NY Cybersecurity Regulation Aims to Keep Financial Institutions Data Secure
By John Humphreys, Senior VP of Business Development and Alliances at Proficio
In 2013, the state of New York experienced a record year for data breaches. According to TIME, a reported 7.3 million out of 20 million New Yorkers' personal and financial information was compromised and over 900 private and public institutions were breached. The number of data breaches in New York has continued to grow from 2015-2016, increasing by 60%.
In response to the increased cyberattacks, the New York Department of Financial Services (DFS) established security standards for financial companies doing business within its borders. These standards, which went into effect in March of this year and recently reached its first compliance date on August 28, addresses concerns over financial industries policing their own security standards, which in turn can put citizens' personal information at risk of being disclosed as the result of a cyberattack.
By rolling out this first-in-the-nation cybersecurity regulation, the New York DFS aims to stem the rise of financial data breaches and protect New York consumers. Banks, insurance companies, and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer (CISO) employed to help protect data and systems; and controls and plans that are in place to help ensure the safety and soundness of New York's financial services industry.
The regulation imposed by the New York DFS is a set of best practices and a cybersecurity framework that should be used by all financial companies worldwide. Industry standards, such as PCI DSS, HIPAA, HITECH, NIST, and others, include similar rules to protect the sensitive data of their customers.
As of August 28, the NY cybersecurity regulation is being enforced, so financial organizations must put their service standards in place as soon as possible, if they haven't done so already. The DFS has the authority to impose significant penalties on organizations that do not comply. Penalties can range from having your license revoked to a financial penalty of $250,000 per day.
Entities covered under the regulation include:
- New York Insured Depository Institutions
- New York Branches Agencies or Offices of Non-U.S. Banks
- New York Trust Companies
- New York Credit Unions
- New York Check Cashers
- New York Institutions with BitLicenses
- New York Mortgage Brokers
Since these regulations also apply to the vendors of the above Covered Entities, each organization should evaluate third-party vendors with which they are associated.
Questions financial organizations should ask their vendors include:
- How much personal data are you handling?
- Do you have any cybersecurity strategies in place?
- Are you following or implementing proper policies and governance structures?
- Are your employees being trained on this regulation, as well as overall cybersecurity best practices?
New York is the first state to introduce this regulation for financial institutions, and New York regulators are hoping other states use their guidelines as a model. While not mandated to abide by these regulations, financial organizations in other states should look to New York as a best practices guideline.
Going forward, financial organizations that do not yet have cybersecurity plans in place must establish a strong and cohesive security program and adopt a robust cybersecurity policy. In order to not only meet but maintain continuous compliance, organizations should make sure they have enough staffing in place and the latest up-to-date technologies on hand to best support their security efforts.
CISOs need to develop and implement privacy policies and best practices for all third-party service providers that they employ. IT teams must conduct periodic risk assessments to ensure overall compliance. They will also be tasked with the responsibility of notifying the superintendent within 72 hours of determining a cyber incident that could likely harm any part of the organization in order to deploy an action plan on how to best resolve the issue so the least amount of harm is done to their organization.