Throughout 2018, senior leadership – and even the boards – of major financial institutions in New York will be discussing cybersecurity. This is something most security professionals have been hoping would happen for years, and the New York Department of Financial Services (NYDFS) made this a reality starting on March 1st, 2017.
Each company’s Chief Information Security Officer (CISO) -if you don’t have one appointed yet, you may soon – will now be responsible for delivering an annual report to the board on the state of their security program.
NYDFS made the significant change from just simply providing cybersecurity guidance, like the well-know NIST Cybersecurity Framework, to issuing mandatory regulation for all New York based financial services organizations. The regulation will require financial institutions to make changes to their organization’s people, processes and technologies. Here’s a quick overview of what each organization will be expected to accomplish prior to the first mandatory reporting date of February 15th, 2018:
- Appoint a CISO
- Provide detailed training on cybersecurity risks and regulations
- Hire individuals with cybersecurity expertise
- Establish a leadership-supported cybersecurity program
- Develop cybersecurity policies and procedures
- Implement controls over the secure development of systems/applications
- Perform periodic risk assessments
- Establish a third-party risk management program
- Develop an incident response program including a detailed plan and training
- Institute data retention and disposal standards
- Perform penetration testing and vulnerability scanning
- Create a reliable audit trail
- Limit access to privileged roles and non-public information
- Review system access on a regular basis
- Enable multi-factor authentication
- Monitor user activity
- Protect data in transit and storage with encryption
Over the next several months, organizations are going to be responsible for reporting on the state of their cybersecurity program as the 12-month (March 1st, 2018) and 18-month transitional periods (September 3rd, 2018) end. While many of these regulatory requirements are not new to information security teams, ensuring that organizations meet the nuance and not just the letter of the law will require changes to people, processes and even technology.
The growing number of regulations over the protection of financial systems and data is a key indicator of how critical a strong cybersecurity program is and the scrutiny that cybersecurity programs are coming under from big regulators. NYDFS may be the first big regulator to mandate cybersecurity in the finance industry but other states have already begun to follow suit. So, if you are in New York, we recommend following the guidance above. And if you aren’t in New York, then this should definitely be on your radar because there is a good chance it’s coming your way.