Infosec and Financial Institutions: New York's Proposed Legislation

Financial Institutions are critical to the foundation of the economy of this country. If you think about it, financial institutions across the country house the wealth of this country and are always under attack. From true brute force hacking to phishing emails, bad actors are relentless in their efforts to steal your money. As a result, the State of New York has proposed groundbreaking, first of its kind regulations on all financial institutions in New York that are regulated by the New York Department of Financial Services.

In the proposed legislation, the State of New York requires all regulated financial institutions to establish a formal cybersecurity program. The components of this plan will be required to include the following:

1. Establishment of a Cybersecurity Program
2. Adoption of a Cybersecurity Policy
3. Have a Chief Information Security Officer (This is a big deal)
4. Manage and Mitigate Risk Associated with Third-Party Service Providers
5. Additional Requirements (We will touch on this later in the post)

Let's take a look at each of these key requirements above in greater detail:

Establishment of a Cybersecurity Program - Regulated financial institutions will be required to adopt a full program designed to ensure the confidentiality, integrity, and availability of systems. The proposed legislation requires the program to focus on 5 key pillars of cybersecurity:

1. Identify Risks
2. Implement Policies and Procedures
3. Detect Cybersecurity Incidents
4. Respond to Cybersecurity Incidents
5. Recover from Cybersecurity Incidents

Adoption of a Cybersecurity Policy - This should be written to say that regulated financial institutions will adopt extensive cybersecurity policies, not a singular policy. The following policies, at a minimum, must be implemented:

• Information Security Policy
• Data Governance and Classification
• Access Controls and Identity Management
• Business Continuity and Disaster Recovery
• Capacity and Performance Planning
• System Operations and Availability 
• Systems and Network Security
• Systems and Network Monitoring
• Systems and Application Development and QA
• Physical Security and Environmental Controls
• Customer Data Privacy
• Vendor Management
• Risk Assessment
• Incident Response

Chief Information Security Officer - Regulated financial institutions will be required to designate a Chief Information Security Officer (CISO) responsible for implementing and overseeing the insititution’s cybersecurity program. What is interesting about this is that the CISO must report to the board at least bi-annually to provide updates on the program, risks identified, remediation strategies, and assess the effectiveness of the program. Cybersecurity has finally reached the Board of Directors!

Third-Party Service Providers - Regulated financial institutions must have policies and procedures in place to ensure the security of information that is held by third-party providers. This holds in line with the sweeping changes that the FFIEC made to the Management IT Booklet.

Additional Requirements - This is the catchall for anything that couldn't fit into the above buckets. The list is extensive and while I won't cover all the items required, here are a few:

• Annual Pen Testing and Vulnerability Assessments
• Annual Risk Assessments
• Security Awareness Training
• Multi-Factor Authentication for Admins
• Written Incident Response Plan

To review the full list of proposed requirements, click here.

This is the first time that a State Examining Agency is mandating cybersecurity requirements for financial institutions, regardless of size. This makes sense due to New York being considered the financial capital of the world and as a result of increasing threats to financial institutions. However, will this be a trend that catches on in other states? Time will tell but one thing is for certain, Cybersecurity is getting the attention of State Regulators and will continue to be a priority for the Board of Directors which is a significant change.

How does your financial institution handle all of the requirements listed above? For more information on how Compass can assist your financial institution with these services, please contact us!