Due to the increasingly significant threat of cybercrime on businesses and consumers, New York has released cybersecurity requirements for financial services companies in the state of New York. While the SEC currently mandates that organizations need to implement “reasonable safeguards to protect a client’s nonpublic information,” the new law provides more clarity for organizations to mitigate cyberthreats. In turn, this regulation will be used to better protect consumer information and better manage the threat landscape.
- Cybersecurity Program: Organizations are required to establish a cybersecurity program designed to protect the information systems within the organization. The main functions of the cybersecurity program are:
- Identify and assess cybersecurity risks
- Develop policies and procedures to mitigate cyberthreats
- Detect and respond to cyberthreats
- Meet regulatory reporting needs
- Cybersecurity Policy: Organizations must implement and maintain written policies that denote the policies and procedures in place to protect nonpublic information. The following areas are applicable:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identify management
- Business continuity and disaster recovery planning and resources
- Systems operation and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and Third Party Services Provider management
- Risk assessment
- Incident response
- Chief Information Security Officer: Organizations will be obligated to designate an individual to oversee and enforce the cybersecurity program and its policies.
- Penetration Testing and Vulnerability Assessments: Organizations must conduct an annual penetration test, along with bi-annual vulnerability assessments.
- Risk Assessment: Organizations should conduct regular risk assessments to help inform the design of the established cybersecurity program. Risk assessments need to be updated regularly to remain relevant in the event of changes in industry or internal operational structure.
- Multi-Factor Authentication: Organizations must utilize multi-factor authentication, or risk-based authentication, to protect sensitive information. Multi-factor authentication must be used when an individual accesses internal networks from an external network, unless there is authorization from the CISO in writing denoting equivalent or superior controls.
Organizations are obligated to meet the requirements set within the regulation, unless:
- The organization has fewer than ten employees in New York, including independent contractors, or
- Earns less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations, or
- Earns less than $10,000,000 in year-end total assets, calculated per GAAP
Effective March 1, 2017, financial services companies will be required to meet these cybersecurity requirements. Organizations will be required to annually prepare and submit Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations beginning February 15, 2018.
Organizations have one year from the effective date to comply with the following sections:
- Chief Information Security Officer
- Penetration Testing and Vulnerability Assessments
- Risk Assessment
- Multi-Factor Authentication
- Provide regular cybersecurity awareness for all personnel that is updated to reflect risks identified in the risk assessment.
Firms that are unable to comply with these regulations could face penalties or sanctions for non-compliance. Is your organization prepared to handle these challenges? A-LIGN’s experienced assessors can help your organization in meeting the New York State Department of Financial Services Cybersecurity Regulations. Contact our professionals today at [email protected] or 1-888-702-5446.