The State of New York recently announced new regulations [PDF], set to take effect on March 1, that require banks, insurance companies and other financial services companies to establish and maintain cyber security programs that meet specific standards.
“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks,” Maria T. Vullo, superintendent of the New York State Department of Financial Services, said in a statement.
The regulation requires companies to examine security at third party vendors, and to maintain a cyber security program that’s adequately funded and staffed, overseen by qualified management, and reported on periodically to the organization’s most senior governing body.
It also sets minimum standards for technology systems, including access controls, encryption and penetration testings, as well minimum standards to address breaches, including an incident response plan, preservation of data, and notification to the Department of Financial Services.
Prevalent director of product management Jeff Hill told eSecurity Planet that the new rules demonstrate that regulators, state agencies, investors and other stakeholders are increasingly connecting the dots between financial health and cyber security. “The economic wake of a substantial data breach can stretch for years, impacting not only tangible bottom line results, but also inflicting reputational damage that can linger indefinitely.”
“New York State’s new rules are particularly forward-looking in that they emphasize the importance of understanding and managing third party risk, the source of more than half of all breaches according to a number of studies,” Hill added. “Addressing what is often the soft underbelly of many enterprises’ cyber security defenses — third parties/vendors — the State of New York is forcing a critical element of its economic infrastructure to cover all its bases.”
“In recent time, the regulatory pendulum has begun to swing in favor of a ‘lighter’ approach for banks, financial services and for other industries too, for that matter,” VASCO Data Security head of global marketing David Vergara said by email. “It’s good to see, however, that good sense regulations like this one have survived to offer additional consumer protection via thorough evaluations of third party vendors, comprehensive risk assessments and advocacy for stronger multi-factor authentication.”
And CipherCloud vice president of marketing Willy Leichter said regulations like these can have a nationwide impact. “A similar trend started 15 years ago when California passed S.B. 1386, creating the first legal requirements for public notification of personal data breaches,” he said. “This public scrutiny of data breaches has had an enormous impact on how organizations approach security, and to led to 47 US states (and many other countries) enacting similar data privacy laws.”