Financial Institutions are critical to the foundation of the economy of this country. If you think about it, financial institutions across the country house the wealth of this country and are always under attack. From true brute force hacking to phishing emails, bad actors are relentless in their efforts to steal your money. As a result, the State of New York has proposed groundbreaking, first of its kind regulations on all financial institutions in New York that are regulated by the New York Department of Financial Services.
In the proposed legislation, the State of New York requires all regulated financial institutions to establish a formal cybersecurity program. The components of this plan will be required to include the following:
Let's take a look at each of these key requirements above in greater detail:
Establishment of a Cybersecurity Program - Regulated financial institutions will be required to adopt a full program designed to ensure the confidentiality, integrity, and availability of systems. The proposed legislation requires the program to focus on 5 key pillars of cybersecurity:
Adoption of a Cybersecurity Policy - This should be written to say that regulated financial institutions will adopt extensive cybersecurity policies, not a singular policy. The following policies, at a minimum, must be implemented:
Chief Information Security Officer - Regulated financial institutions will be required to designate a Chief Information Security Officer (CISO) responsible for implementing and overseeing the insititution’s cybersecurity program. What is interesting about this is that the CISO must report to the board at least bi-annually to provide updates on the program, risks identified, remediation strategies, and assess the effectiveness of the program. Cybersecurity has finally reached the Board of Directors!
Third-Party Service Providers - Regulated financial institutions must have policies and procedures in place to ensure the security of information that is held by third-party providers. This holds in line with the sweeping changes that the FFIEC made to the Management IT Booklet.
Additional Requirements - This is the catchall for anything that couldn't fit into the above buckets. The list is extensive and while I won't cover all the items required, here are a few:
To review the full list of proposed requirements, click here.
This is the first time that a State Examining Agency is mandating cybersecurity requirements for financial institutions, regardless of size. This makes sense due to New York being considered the financial capital of the world and as a result of increasing threats to financial institutions. However, will this be a trend that catches on in other states? Time will tell but one thing is for certain, Cybersecurity is getting the attention of State Regulators and will continue to be a priority for the Board of Directors which is a significant change.
How does your financial institution handle all of the requirements listed above? For more information on how Compass can assist your financial institution with these services, please contact us!