Banks, insurance companies and other financial services companies that operate within the state of New York will soon be required to significantly increase their cybersecurity programs in an effort to further protect consumers’ personal and financial information.
The new regulations, proposed this week by the office of New York Gov. Andrew Cuomo and the New York Department of Financial Services, would require companies that are regulated by the NYDFS to establish a cybersecurity program, adopt a cybersecurity policy, add a chief information security officer, and would require companies to additional levels of security when working with third-party service providers.
In a statement, Cuomo called the new regulations a “first in the nation” and noted the critical importance of protecting sensitive financial information.
“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” Cuomo said. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
Under the new regulations, which are subject to a 45-day notice and public comment period before a final issuance, NYDFS-regulated companies will be required to establish a cybersecurity program that performs the following functions:
- Identification of cyber risks
- Implementation of policies and procedures to protect unauthorized access/use or other malicious acts
- Detection of cybersecurity events
- Responsiveness to identified cybersecurity events to mitigate any negative events
- Recovery from cybersecurity events and restoration of normal operations and services
Companies will also be required to adopt a written cybersecurity policy that covers the following items, “at a minimum,” according to the NYDFS:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
And companies must also add a chief information security office to put all of those policies and procedures into place.
New York’s new rules come on the heels of news that the nation’s biggest banks, including JPMorgan Chase, Bank of America and Goldman Sachs, are joining together to share information on cybersecurity in a concerted effort to prevent future cyber attacks.
And with so financial institutions holding so much confidential information about consumers and various financial instruments (mortgages included), increased security is more important that ever.
In fact, HousingWire magazine’s issue from April was dedicated to the rising problem of cyber security.
According to the NYDFS, New York’s rules were informed by discussions with nearly 200 regulated banking institutions and insurance companies, as well as cybersecurity experts, over emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third-party vendors.
“Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with,” NYDFS Superintendent Maria Vullo said.
“DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs,” Vullo continued. “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”