The controversial cybersecurity requirements proposed by the New York State Department of Financial Services (DFS) will become effective on March 1, 2017. After a last-minute revision to the proposal following heavy resistance by bankers at a hearing in December last year, the requirements have been reduced, but still impose many new obligations upon financial institutions licensed in New York.
The most significant changes are in:
- Data encryption
- Enhanced multi-factor authentication
- Annual certification
- Incident reporting
Data encryption will now be required for all non-public information both in-transit and at rest; multi-factor authentication will be required for any users accessing internal systems from an external network; annual certification verifying compliance must be submitted by the chairperson of the board or a senior officer; and the scope of incident reporting will exceed those currently required.
Appointing a CISO
Organizations will also be required to have a designated CISO (chief information security officer) to implement and oversee its cybersecurity program. Employed either by the institution, one of its affiliates, or a third-party service provider, the CISO will be required to present a report to the board twice a year, identifying cyber risks, evaluating the success of the program, and summarizing cybersecurity events.
Some organizations already have a CISO or similar role in place, but given the specific requirements that will come into effect, even those that do have one will have to review the position.
For those without an appointed CISO, like smaller banks and insurers, it is just one of several structural changes they will have to consider.
“One-size-fits all” regulation will most affect smaller, rural organizations
For smaller organizations, the DFS proposal may be considered a counterproductive, “one-size-fits-all” approach. Speaking at last year’s hearing concerning the DFS’s proposal, Laura Mazzara (senior vice president and chief risk officer at Pioneer Bank, a community bank based in Albany) noted that the measures will lead to added investments, both financially and in terms of manpower, that will have a negative impact on smaller organizations such as hers.
“We’re concerned,” added James Whalen, Pioneer Bank’s associate counsel, “that the volume of information required to be reported could be quite voluminous, numbering in the hundreds and potentially thousands of incidents per year.”
With many of the compliance deadlines coming as early as this year, it is important for all organizations to be aware of the requirements and put the correct measures in place.
Not sure how to get started?
Sign up for our free webinars. Our experts will provide you with insights on individual requirements and how to apply a best-practice method to help you improve your cybersecurity defenses and diminish risks while staying on budget and meeting deadlines.
IT Governance provides everything you need to satisfy the DFS requirements and offers a full range of products for ISO 27001, a best-practice solution that will ensure you meet your compliance objectives. Find out more >>