As of March 1, 2017, New York State’s new cybersecurity regulations governing the financial services industry are now in effect. Dubbed “first-in-the-nation protections” by New York Governor Andrew Cuomo, these regulations require that institutions regulated by the NY Department of Financial Services (DFS) – including banks, insurance companies and other financial services providers – must establish and maintain a cybersecurity program that both protects the private data of consumers and supports the integrity of the industry in the state.
We – like most vendors – remain informed about new regulations such as this in order to better serve the managed service providers (MSPs) we work with. Ultimately, MSPs that are knowledgeable about legal trends in the industries they serve are able to offer superior and more tailored service to their end user clients. These MSPs can also ensure that their clients have all the information they need to make the right decisions around data security and regulatory compliance.
While the newly introduced regulations in question only affect financial services providers, and only those in New York State, this governmental action may very well influence other jurisdictions and localities to adopt similar regulations. At the same time, the regulations represent a best practices framework around data security that make a lot of sense for companies handling sensitive data, no matter their industry or location.
Here are the highlights of what MSPs serving organizations affected by these new regulations need to know:
1) A strong cybersecurity program is now required. Financial services organizations are now required to maintain a well funded, staffed and managed cybersecurity program, and to keep senior leadership informed it. The program must be led by a chief information security officer (or other such leader) who is responsible for safeguarding sensitive data.
2) Organizations must know their risks – and be ready to respond. Conducting security risk assessments and network penetration testing are now required practices for larger companies, and every organization must have security policies and incident response plans in place to preserve data. These plans must include protocols for alerting DFS within 72 hours in the event of a data breach.
Among other requirements, organizations must have access controls in place to guard against sensitive data falling into the wrong hands, and to protect that data with encryption so that all is not lost if and when sensitive data is accessed inappropriately.
