In case you didn’t already know, banks are prime targets for cyber criminals. Financial organizations suffered 52 data breaches last year, according to figures from the Identity Theft Resource Center, and 72,000 records were compromised. With number of cyber attacks rising across the country, the New York State Department of Financial Services (DFS) is on the alert.
As we have previously reported, the DFS recently proposed – and subsequently revised – new, rigorous cybersecurity requirements for banks, consumer lenders, money transmitters, insurance companies, and other financial service providers (i.e. ‘Covered Entities’). These requirements include a risk assessment, the details of which are outlined in section 500.09 of the proposal.
Are you prepared?
A risk assessment is one of the first tasks an organization should complete in order to begin their cybersecurity policy and program.
The DFS proposal emphasizes the fact that any organization’s cybersecurity policy should be based on the findings of its own risk assessment. This assessment must tackle the key issues that the DFS has highlighted throughout the proposal process. In an article covering the full report, the Harvard Law School Forum summarizes the role the risk assessment should play in the following areas:
- Penetration testing and vulnerability assessments should be tailored towards the risks and vulnerabilities identified in the risk assessment. The only time testing is not necessary is if the entity maintains “effective continuing monitoring, or other systems to detect, on an ongoing basis, changes […] that may create or indicate vulnerabilities.”
- Audit trail systems should be based on the risk assessment.
- Access privileges to systems that provide ‘Nonpublic Information’ should be limited based on the findings of the risk assessment.
- Security policies and procedures accessible to third parties will depend on applicable facts as well as the risk assessment.
- Multi-factor authentication should be implemented if deemed necessary by the risk assessment.
- Encryption of ‘Nonpublic Information’ or whether to employ alternative compensating measures should be determined based on the risk assessment.
Putting a policy in place
If you don’t know where to begin, our vsRisk™ software can help your organization prepare and give you a clear picture of your risks and threats. Providing a framework to start your cybersecurity program, you can save time, effort and expense with this risk assessment tool. Learn more about vsRisk™ >>
Have you registered for our free webinar: NY State’s cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO? In this webinar, we will cover best practices for penetration testing and vulnerability assessments, and how to include staff training to create a strong information security system that addresses people, processes, and technology.