Gov. Andrew Cuomo of New York announced Thursday final regulations that require financial services institutions to establish and maintain strict cybersecurity standards and to report them to the state’s Department of Financial Services.
DFS first proposed the regulation in September and was met with strong opposition from industry groups that said it was too strict. The mandate was revised in December to push back the compliance date. The regulation will take effect on March 1, and financial firms in New York will have until Sept. 1 to comply.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks,” Cuomo said in a statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes.”
(Related: Bank Regulators’ Cybersecurity Approach Is Misguided, Chamber Says)
Indeed, the mandate prescribed by the New York DFS “goes beyond even what the SEC and FINRA have put forth,” according to John Cunningham, chief information officer and chief information security officer for Docupace.
Financial firms are being asked to “open the kimono” on their cybersecurity practices and report annually to the state superintendent on gaps in their firms and what they’re doing to remediate them, he said. Those reports must be retained for five years, Cunningham said in an interview with ThinkAdvisor. Cybersecurity programs must also include policies for regularly disposing of nonpublic information it no longer needs.
Firms must report all cybersecurity events, even unsuccessful ones, within 72 hours of discovery, he added.
Justin Kapahi, vice president of solutions and security at External IT, called the mandate “one of the more prescriptive action summaries I’ve seen in a while.”
“Right off the bat, you see that much more prescriptive about the kind of IT policies you have to have, exactly what should make up those IT policies, and how you’re supposed to use those policies to measure your risk. That’s something that the SEC infers, but [the New York DFS] actually prescribes,” Kapahi told ThinkAdvisor.
New Role for CISO
The regulations require financial institutions to assess their risks and maintain a cybersecurity program that will “protect the confidentiality, integrity and availability” of their information systems. Among the specific actions they must take are to identify and assess risks to their systems; implement “defensive infrastructure”; detect and respond to cybersecurity events; to recover from a cybersecurity event and resume normal operations; and to report on their program annually to DFS.
Cunningham pointed out some areas where firms may struggle to meet the mandate’s regulations.
One is in the requirement to have a “qualified person” in the chief information security officer role. “In the past, companies just designate their CFO as the CISO, but that’s probably not going to be OK anymore.”
Cunningham recommends firms that want to hire their own CISO look for someone with experience and professional designations like the Certified Information Systems Security Professional (CISSP).
The regulation explicitly allows firms to use an affiliate or third party as a CISO, but requires that the firm retain responsibility for cybersecurity compliance and designate someone within the firm to be responsible for the third-party CISO, who must also meet the requirements of the mandate.