The New York State Department of Financial Services today began to enact greater cybersecurity measures for the state’s banks and insurance entities.
The regulation, as it currently reads [full copy, here], will be effective March 1, 2017.
The new measures require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program.
So what’s new?
Well, there is now a required, seven-point “incident response plan” which needs to address the following:
- The [bank and/or insurer] internal processes for responding to a Cybersecurity Event
- Goals of the incident response plan
- A definition of clear roles, responsibilities and levels of decision-making authority
- External and internal communications and information sharing
- Remediation of any identified weaknesses in Information Systems and associated controls
- Documentation and reporting regarding Cybersecurity Events and related incident response activities
- Evaluation and revision of the incident response plan following a Cybersecurity Event
“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Financial Services Superintendent Maria Vullo.