Security Orchestration addresses latest cybersecurity regulation plaguing financial services industry.
On March 1, 2017 the New York Department of Financial Services implemented the “Cybersecurity Requirements for Financial Services” regulation – 23 NYCRR 500“.These new rules are in response to the growing concern that financial firms who actively conduct business in New York State are facing increased cyber threats with little oversight putting consumers and businesses at risk. As active partners with some of New York’s major financial institutions, Siemplify is providing a brief note on key takeaways and how we are helping the New York Financial Services industry meet these new regulatory needs.
What are the Cybersecurity Requirements and Implicationsof this new regulation?These revisions are primarily seen as a set of recommendations for Financial Executives and Senior Security Leaders. Though the regulations come short of offering direct prescriptive advice, there are hard deadlines put in place. These deadlines are forcing significant pressure on the Financial Services industry to prove they have taken action on the recommendations. A few key rules pertaining to leadership warn that:
- CISO’s or 3rd party vendors must be on staff.
- Documented responsibility is held by CISO’s for their security apparatus.
- Documented proof of meaningful employee training and incident response reporting can be provided to regulators.
Additionally, if a financial services organization is licensed and/or regulated by the New York State DFS, they are now required to assess their “security risk profile” and design a security program that addresses their organization’s risks, as well as file a certification that confirms annual compliance with the regulations. A summary of key directives include:
- Implementing a cybersecurity program that encompasses identification and triage of internal and external cybersecurity risks, maintains network access/authentication logs, can detect and respond to events and fulfills applicable regulatory reporting obligations.
- Designation of a Chief Information Security Officer (CISO) and utilization of qualified cybersecurity personnel (may be from a third party service provider).
- Continuous monitoring or periodic penetration testing and vulnerability assessments.
- Provision and requirement that all personnel attend cybersecurity awareness training.
- Ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications.
- Assessing risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually.
- Implement controls, including encryption, to protect non-public data in transit and at r
- .Establishment of an incident response plan