Eugene Grygo, Chief Content Editor, FTF News
In case you may need another regulatory deadline, the New York Department of Financial Services (DFS) has issued a reminder to all the organizations it oversees that they have a cybersecurity regulation deadline coming up on Sept. 4, 2018.
That is the day when “the third transitional period of New York’s first-in-the-nation cybersecurity regulation ends,” according to the DFS.
To recap, the regulatory effort compels firms, governed by the DFS, to establish effective safeguards against cyber-attacks via “nation-states, terrorist organizations and independent criminal actors.”
The regulation, which went into effect March 1, 2017, was established to “ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information,” according to the DFS.
“Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations,” according to the actual regulation. “A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”
By the way, the new set of protections that come with the September deadline “include encryption, access controls and audit trails” that will be in addition to the regulation’s previous requirements.
The DFS wants financial services institutions to comply with “several additional provisions of the cybersecurity regulation” such as:
- The start of mandatory, annual reporting to the board by the firm’s Chief Information Security Officer “concerning critical aspects of the cybersecurity program;”
- The establishment of an audit trail to “reconstruct material financial transactions sufficient to support normal operations in the event of a breach;”
- The creation of policies and procedures that “ensure the use of secure development practices for IT personnel that develop applications for the covered entity;”
- Implementing a system of “encryption to protect nonpublic information held or transmitted by the company;”
- The development of policies and procedures to “ensure secure disposal of information that is no longer necessary for the business operations;”
- And the implementation of “a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.”
My guess is that most firms have the aforementioned requirements already in place or will soon. These safeguards just seem to make sense for most firms.
Looking beyond September, the DFS is also reminding regulated entities that work with third-party service providers that they “must evaluate the risk” that third-party providers “pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.”
For firms that have more questions about the regulation, the DFS has a FAQ page here.
The actual text of the regulation can be found here.
Need a Reprint?