What a New Cybersecurity Regulation Means for New York Banks
Earlier this year, New York state rolled out the nation's first-ever cybersecurity regulation. It requires banks, insurance companies and other financial organizations to take steps to protect data. Unless exempted, the deadline for compliance is August 28, 2017.
Earlier this year, New York state rolled out the nation's first-ever cybersecurity regulation, which means that banks there will soon have to have regulatory standards to protect data from the bad guys. The Department of Financial Services (DFS) will require that banks, insurance companies and other financial organizations operating in the state take steps to protect their organization and consumers' private data from cybercriminals and terrorists. Unless exempted, the deadline for compliance is August 28, 2017.
Why Cybercriminals Like Banks
The world economy would come to a screeching halt if consumers and businesses completely lost faith in financial institutions, a favorite target of cyberattacks the last few years. In 2016, financial services became the industry most targeted by cybercriminals, according to the IBM X-Force Threat Intelligence Index 2017. Global cybercriminals target banks for direct access to money. Bad actors also fetch large profits on the darknet by selling the email addresses, phone numbers and Social Security numbers found in financial systems. Hackers also target banks for information on investment strategies and mergers and acquisitions for financial gain on the stock market.
The rules will keep banks busy, with requirements for audit logs, multifactor authentication, private data encryption, application security, cybersecurity personnel and intelligence, training, monitoring and periodic risk assessment. Banks and the like also face "must haves" for confidentiality, incident response, cybersecurity event notifications and annual reports to DFS.
There are two sections in the new cybersecurity regulation that records managers will want to pay attention to in order to ensure compliance. The big one not to miss is Section 500.11, which spells out how to address third-party cybersecurity. This applies to service providers like law firms and accountants as well as data storage, disposition and protection providers.
Section 500.13 is all about records disposition. This section specifies that an institution's cybersecurity program must provide for the periodic, secure disposal of private data no longer needed for legitimate business, law or regulation. The mandated third-party due diligence and risk assessments will quickly help determine if your information management providers meet the new cybersecurity standards for financial institutions operating in New York.
Although New York was the first state to pass regulations specific to cybersecurity, expect other states to follow suit. If anyone still needs convincing, the global WannaCry ransomware attack has shown how quickly insufficiently protected data can become a hacker's meal ticket. Savvy records managers will get ahead of the curve. In fact, New York's new requirements could serve as a smart place to start when figuring out how to advance the safety of information at your organization.