Earlier this year, the State of New York introduced a new set of regulations requiring banks, insurance companies and other financial services companies to establish and maintain cyber security programs that meet specific standards.
While the new rules had an effective date of March 1, 2017, four transition periods allow the requirements to take effect gradually.
The first of those transition periods ends today.
The requirements are extensive, and include the designation of a CISO, the creation of a written cyber security policy as well as a cyber security program that’s adequately funded and staffed, overseen by qualified management, and reported on periodically to the organization’s most senior governing body.
The regulations also set minimum standards for technology systems including access controls, encryption and penetration testing, along with minimum standards to address breaches, including an incident response plan, preservation of data, and notification to the Department of Financial Services.
Assessing Risk
SecureAuth CISO Danielle Jackson told eSecurity Planet by email that CISOs should start addressing the regulation by assessing and assigning risk to their environment. “This should help the CISO prioritize the overall security posture and security risk imposed to their environment while providing visibility into the gaps and areas of non-compliance with the regulations,” she said.
Giving the CISO a seat at the table with other executives, Jackson said, is a huge step forward. “Having the access and visibility to boards should enable CISOs to communicate the risk, show security impact to the business, highlight the importance of security initiatives, and continue to integrate security throughout the organiation,” Jackson added.
Balabit compliance specialist Istvan Molnar said by email that one of the first changes most covered entities will have to tackle will be to limit access privileges to sensitive data and systems. “The regulations makes no mention of a system that should be put in place, but having a privileged access management system to assist with this need will be critical,” he said.
“A more proactive approach would be to mandate close monitoring and analysis of suppliers’ activities in real time with more automated tools,” Molnar added. “Consistent monitoring of users’ behavioral biometrics, such as keyboard characteristics or mouse movements, would shorten breach and threat discovery, enabling institutions to avert or minimize breach impacts.”
Expanding Requirements
New York isn’t alone in introducing new cyber security regulations. Delaware recently passed HB 180, which updates the state’s law regarding cyber security breaches with the following key changes:
- specifically requiring the safeguarding of all personal information
- expanding the definition of a data breach
- clarifying the definition of encryption
- creating a “safe harbor” if breached data is encrypted
- expanding consumer protections when breaches are discovered
On signing the bill into law, Delaware Governor John Carney said in a statement, “We live in a digital world where threats to personal information are becoming more common, and the cyber threat is one of the most serious economic challenges we face.”
“It makes sense to offer additional protections for Delawareans who may have their information compromised in a cyber security breach,” Carney added. “At the same time, we will continue to connect businesses to training and resources that will help them safeguard and protect their data.”
“We can expect to see more states adopting tougher cyber security requirements,” AlertSec CEO Ebba Blitz said by email. “It is an important and necessary tool to help safeguard consumers and patients.”
“Lawmakers are enacting change intending to help, not hurt,” Blitz added. “Everyone needs to be aware and proctive to ensure our personal and private data is protected.”
