New York State has released new proposed Cybersecurity Requirements for Financial Services Companies.  You can read the full proposal here.

According to the document, “the regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

Among the requirements are written policies and procedures that are regularly approved by the company’s Board, and cover the following:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and third-party service provider management
  13. Risk assessment
  14. Incident response

Other requirements include:

  • the designation of a qualified Chief Information Security Officer
  • annual penetration testing
  • quarterly vulnerability assessments
  • maintenance of an audit trail
  • management of access privileges
  • annual review of application development security procedures
  • annual risk assessments
  • regular training of all cybersecurity personnel
  • policies and procedures addressing third party information security
  • a process requiring multi-factor authentication to access systems or data
  • policies and procedures for timely destruction of particular data

The proposal states that it would become effective in January 1, 2017, with the requirement for all Covered Entities to submit an annual Certification of Compliance with the New York State Department of Financial Services Cybersecurity Regulations starting January 15, 2018. There would be a 180 day transitional period from the effective date for Covered Entities to comply.

There is a 45-day comment period on the proposal.


Advertisement