On March 1st of this year, New York became the first state to enact state-mandated cyber security guidelines for companies regulated by the state Department of Financial Services. These guidelines include 23 sections discussing specific technical safeguards financial institutions must have in place, such as data encryption, multi-factor authentication, security training for employees, appointment of a chief information security officer, and annual evaluations by a senior officer.
These rules are mandatory for the affected companies as well as any third-party vendors who have access those firms’ data, and the 180-day compliance deadline passed on August 28th. Other milestone dates can be found at http://www.dfs.ny.gov/about/cybersecurity.htm.
While some smaller firms are currently exempt from some of the rules, the logic behind them remains: information collected and stored by any financial institution is highly sensitive in nature and valuable to cyber criminals. This protected information needs to be properly safeguarded whether the firm has 100 clients or 100,000.
Financial institutions that are already following standard FINRA and GLBA guidelines should not have been surprised by the new mandated regulations. These regulations have been described as a more detailed version of the industry’s existing best practice. The biggest difference may be the hard deadline for compliance, which left some in the industry scrambling for how best to enact all required points in a 6-month timeframe.
Specifically, these rules call for some items that may not be commonly implemented, such as continuous monitoring, reporting and reviewing access privileges, conducting regular internal and external vulnerability assessments, and creating policies.
For firms based in New York, the deadline has just passed. Elsewhere, it’s never too early (or too late) to be sure that guidelines are met and best practices are in place.
Best practices from NYDFS 23 NYCRR 500:
- Have a person specifically responsible for cyber security
- Regular risk assessments
- Regular internal/external vulnerability assessments
- Multi-Factor Authentication: USE IT
- When in doubt, encrypt
- Have a written plan: incident response, business continuity, etc.
- Written polices: information security, asset inventory and device management, vendor and Third Party Service Provider management, etc.
- Know your data: what Protected Information (“PI”) do you have? Where is it?
As always, feel free to reach out to ADNET if you have any questions or concerns.