Financial Services Companies Brace for New Cybersecurity RequirementsAnchin AlertDecember 14, 2016
The New York State Department of Financial Services is taking the bull by the horns when it comes to how regulated financial services companies protect themselves and their customers from cyberattacks.
New York State regulations designed to combat the threat of cyberattacks become effective January 1, 2017. The regulations were proposed last September and included a 45-day notice and comment period.
The proposals would proactively require “Covered Entities” and third parties to enact a uniform structured set of minimum cybersecurity requirements. The regulations are designed to go beyond many existing state and federal laws requiring companies simply to enact “reasonable policies and procedures” regarding cyberattacks.
“Covered Entities” are defined by New York State as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.”
The cybersecurity policy encompasses several vital areas. These areas include:
- Information security
- Data governance and classification
- Systems and network security
- Physical security and environmental controls
- Customer data privacy
- Risk assessment
- Vendor and third-party service provider management
It’s also important to note that the policy needs to be reviewed by the entity’s board of directors, governing body or senior officer.
Cyberattacks occur frequently, with financial services companies often caught in the crosshairs.
In the financial sector there were 1,368 confirmed data breaches in 2015, with confirmed data loss in 795 of those breaches, according to Verizon.
Such computer attacks cost financial companies dearly, in terms of allocating expenses to remedy the situation and, perhaps more important, loss of credibility with customers, prospects and partners.
Most states (47) are fighting back by implementing data breach notification laws, requiring companies whose data has been breached to notify their customers and including the provision of credit monitoring services.
However, for the most part these are toothless regulations and don’t make companies any less vulnerable to cyberattacks.
Hence, New York State is attempting to take the lead to combat an ever-growing threat to financial services, whether from nation-states, terrorist organizations and/or individual criminal hackers, and maybe serve as a national model.
Is your company prepared for the new regulations? For more information, contact your Anchin relationship partner or Jeffrey I. Rosenthal, Partner-in-Charge of Anchin’s Financial Services Practice at 212.840.3456.