The New York State Department of Financial Services in 2015 announced plans to take more aggressive regulatory...
actions around cybersecurity compliance for insurance carriers in the state, including regular assessments of cybersecurity preparedness. The department recently followed that announcement up with a letter to other state and federal regulators with additional details about DFS' proposed policies and procedures around cybersecurity. What are some of the takeaways from the letter?
New York state finds itself on the leading edge of cybersecurity regulations and the November 2015 letter from the Department of Financial Services indicates that more financial cybersecurity regulations are on the way. Financial institutions that operate in New York state and are subject to DFS regulation should review this letter carefully and note that it discusses potential new requirements in several different areas. Regulated institutions would be required to build a comprehensive cybersecurity program that includes the following elements:
- Policies and procedures covering many different aspects of cybersecurity compliance;
- Management practices for third-party vendors with access to sensitive data or systems;
- Multifactor authentication for customer access to Web applications, privileged access to databases and external access to internal systems;
- Appointment of a CISO;
- Hiring of trained cybersecurity personnel;
- Annual penetration testing and quarterly vulnerability assessments;
- Maintenance of audit trails for sensitive systems; and
- Notification to the state of cybersecurity incidents.
Fortunately, none of these requirements should come as a surprise to financial institutions that already operate under the auspices of the Gramm-Leach-Bliley Act and the Payment Card Industry Data Security Standard. It's likely that financial institutions already have many, if not all, of the controls proposed by DFS in place and will only find themselves with a little extra paperwork to complete if DFS adopts new financial cybersecurity regulations.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Discover the effects of the FTC taking control over cybersecurity regulations
Find out the PCI DSS requirements for call recordings
Learn about the impact of CISA on security
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.