The New York State Department of Financial Services has proposed a new regulation imposing significant new cybersecurity requirements on banks, insurance companies, and other financial services institutions regulated by DFS .
The new requirements will require such institutions to, among other things, establish and maintain a cybersecurity program, create an immediate response plan for security breaches, and designate a qualified individual to serve as Chief Information Security Officer (“CISO”). The Proposed Regulation contemplates an effective date of January 1, 2017, with compliance required 180 days later
http://www.jdsupra.com/legalnews/new-york-state-proposes-new-27798/
I’m not sure what the Cybersecurity posture was for the 200 firms that DFS interviewed, but it seems that the “Proposed Regulation” is trying to catch up to current industry standard and practices. Financial institutions have always been and is the largest target for cyber crimes. Instead of implementing they should be refining their security controls and policies to evolve with the threats.
To be honest, I would be worried if a financial institution did not have these controls in place already. Why is this just now mandatory? Things like: Establishing a cyber security program and policy, conduct assessments and pen testing, and establish written incident response plan as stated in the article should already exist. If I was a CEO of a financial institution that did not already have these in place, I would start working on it immediately, as this “proposed” regulation should been passed years ago.
Vaibhav,
This is a very interesting article and also very eye-opening. It is almost disturbing that the DFS is now proposing new regulations on cyber security requirements for banks, insurance companies, and other financial service institutions. These practices are almost standard in the technology industry. Without these recommended regulations in place, it would be almost impossible to pass an IT audit.
Have to agree with other commenters. Seems like to little, to late.
Wade