peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the proposed financial cybersecurity regulations from DFS?

The New York State Department of Financial Services announced plans to increase cybersecurity regulations for financial firms. Here's what they need to know about the regulations.

The New York State Department of Financial Services in 2015 announced plans to take more aggressive regulatory actions around cybersecurity compliance for insurance carriers in the state, including regular assessments of cybersecurity preparedness. The department recently followed that announcement up with a letter to other state and federal regulators with additional details about DFS' proposed policies and procedures around cybersecurity. What are some of the takeaways from the letter?

New York state finds itself on the leading edge of cybersecurity regulations and the November 2015 letter from the Department of Financial Services indicates that more financial cybersecurity regulations are on the way. Financial institutions that operate in New York state and are subject to DFS regulation should review this letter carefully and note that it discusses potential new requirements in several different areas. Regulated institutions would be required to build a comprehensive cybersecurity program that includes the following elements:

  • Policies and procedures covering many different aspects of cybersecurity compliance;
  • Management practices for third-party vendors with access to sensitive data or systems;
  • Multifactor authentication for customer access to Web applications, privileged access to databases and external access to internal systems;
  • Appointment of a CISO;
  • Hiring of trained cybersecurity personnel;
  • Annual penetration testing and quarterly vulnerability assessments;
  • Maintenance of audit trails for sensitive systems; and
  • Notification to the state of cybersecurity incidents.

Fortunately, none of these requirements should come as a surprise to financial institutions that already operate under the auspices of the Gramm-Leach-Bliley Act and the Payment Card Industry Data Security Standard. It's likely that financial institutions already have many, if not all, of the controls proposed by DFS in place and will only find themselves with a little extra paperwork to complete if DFS adopts new financial cybersecurity regulations.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover the effects of the FTC taking control over cybersecurity regulations

Find out the PCI DSS requirements for call recordings

Learn about the impact of CISA on security

This was last published in April 2016

Dig Deeper on Security audit, compliance and standards