Financial services firms in the State of New York are entering a new regulatory and compliance environment aimed at bolstering cybersecurity and preventing cybercriminals from causing financial losses for financial institutions and their customers.
Today, August 28th 2017, the Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) will end its 180-day transition period and the full regulatory requirements will take effect.
Today is the deadline for firms to achieve compliance with the cybersecurity regulations or face monetary penalties and harm to their reputation.
Overall, these practices are essential to enhancing cybersecurity, protecting customer and proprietary information, and maintaining consumer confidence.
A broad sector of regulated companies
The rules apply to financial services companies regulated by the New York Department of Financial Services (NYDFS), including:
- Commercial banks and trust companies
- Domestic and foreign representative bank offices
- Check cashers
- Health insurers
- Life insurance companies
- Money transmitters
- Mortgage brokers, loan originators, and loan services
- Property and casualty insurance companies
- Sales finance companies
- Service contract providers
The regulation applies to the vast majority of New York’s financial sector, although there are exemptions for the smallest firms.
A comprehensive framework for cybersecurity and compliance
The NY Cybersecurity Requirements for Financial Services Companies is a comprehensive set of regulations requiring companies to maintain procedures for risk management, incident response, and staff training, as well as regulatory reporting structures, to name just a few.
The full set of requirements is available here. The following highlights outline the main requirements.
1. A robust cybersecurity program
Companies must begin implementing, documenting, and maintaining a robust cybersecurity program that outlines its ability to:
- Identify internal and external cybersecurity risks to information stored in the company’s systems
- Use defensive infrastructure to protect against unauthorized access
- Detect cybersecurity events
- Recover from cybersecurity issues by restoring normal operations
- Fulfill regulatory reporting obligations
2. Chief Information Security Officer
Companies must appoint a Chief Information Security Officer (CISO) responsible for the cybersecurity program.
3. Written policies and procedures
Firms must maintain written policies and procedures on systems and network security, customer data privacy, business continuity, and disaster recovery planning, among other categories.
4. Incident response plan
Financial service companies must create a written plan for responding to cybersecurity events, including defining roles and responsibilities, communications, and information sharing protocols.
5. Cybersecurity staff training
Firms must use qualified cybersecurity personnel, and provide staff with sufficient training.
6. Risk assessment
Financial services firms will now be required to conduct periodic risk assessments that consider the company-specific risks to their cybersecurity, non-public information collected or stored, and the information systems utilized.
The first risk assessment must be completed by March 1, 2018, and the other requirements—including the cybersecurity program and written policies—must be informed by the assessment’s findings.
Staying ahead of the compliance game
The NYDFSD regulations are strict enough to enhance the sector’s cybersecurity regimen, but flexible enough to adapt to technological changes. In many respects, the regulations rely on the companies themselves to develop the specific approach that will fend off cyber attacks and keep customer information protected.
In other words, if your firm is a financial services company, managing the risk and compliance is on you.
The key to maintaining regulatory compliance in this environment is your firm’s ability to adapt to the changing technology, risks, and industry trends.
Blueprint Regulatory Change Manager (RCM) helps you effectively manage risk and compliance in today’s world of dynamic regulatory change, unsustainable costs, and severe penalties. RCM keeps firms actively ahead of regulatory reforms and policy shifts while supporting compliance and reuse.
Blueprint’s RCM can successfully:
- Centralize compliance requirements across the enterprise
- Analyze business impact
- Automate compliance workflow
- Map regulatory events to compliance
- Locate evidence
When it comes to the NY Cybersecurity Requirements for Financial Services Companies, Blueprint’s RCM can deliver the tools you need to manage compliance across the entire organization, so that the risks of censure or financial penalty can be avoided.
