The state of NY has officially instituted a new cybersecurity regulation that officially takes effect as of today, March 1st, 2017. This somewhat controversial new regulation imposes more detailed rules on those in the banking and insurance industries with the goal of protecting consumers and institutions alike against cyber-attacks.
This is the first regulation of its kind to be adopted by a US state, though trends certainly indicate that others will likely follow suit due to continued frustration and concern with data breaches. Among other things, the law mandates that financial and insurance institutions must officially employ a CISO, implement multifactor authentication policies and that all cybersecurity incidents must be reported within 72 hours.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks.” ~ New York Governor Andrew M. Cuomo
In reality, many of the requirements in the NY regulation have already been implemented by larger financial institutions. For instance, the law requires that organizations:
- Develop comprehensive cybersecurity programs which include written policies that address such important factors as
- Access controls
- Asset inventory
- Data governance
- Business continuity
- Perform periodic risk assessments and yearly penetration tests
- Use encryption must for all data – both in transit and at rest
- Establish a written incident response plan
Additionally, the regulation states that CISOs must send annual reports to the board of directors. These things are already common practice for many institutions, so there won’t be much change for them.
“It’s one of the most comprehensive cybersecurity regulations in the financial sector.” ~ Luke Dembosky, former cybercrime prosecutor with the US Justice Department.
All organizations in the state of NY are required to submit a statement to the Superintendent of Financial Services by the 15th of February every year certifying compliance. Although the new regulation technically takes effect on March 1, all institutions affected by the policy have an additional 180 days to comply. Some built-in grace periods within the regulation provide up to two years to come into compliance with certain provisions. Additionally, smaller institutions may apply for exemptions.
Some of the details of this new regulation may be challenging to implement, particularly for smaller organizations with limited resources. Utilizing automated cybersecurity incident response may be the key to getting and staying compliant.