New York State has released new proposed Cybersecurity Requirements for Financial Services Companies. You can read the full proposal here.
According to the document, “the regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
Among the requirements are written policies and procedures that are regularly approved by the company’s Board, and cover the following:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
Other requirements include:
- the designation of a qualified Chief Information Security Officer
- annual penetration testing
- quarterly vulnerability assessments
- maintenance of an audit trail
- management of access privileges
- annual review of application development security procedures
- annual risk assessments
- regular training of all cybersecurity personnel
- policies and procedures addressing third party information security
- a process requiring multi-factor authentication to access systems or data
- policies and procedures for timely destruction of particular data
The proposal states that it would become effective in January 1, 2017, with the requirement for all Covered Entities to submit an annual Certification of Compliance with the New York State Department of Financial Services Cybersecurity Regulations starting January 15, 2018. There would be a 180 day transitional period from the effective date for Covered Entities to comply.
There is a 45-day comment period on the proposal.