New York Proposes Cybersecurity Regulations for Financial Services Companies (article)
When unauthorized users penetrate information systems, they can disrupt, modify or even destroy a company’s electronic data, which can lead to devastating consequences – particularly for the finance industry. As technology advances, cyberattacks are becoming increasingly prevalent and threatening.
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Conduct a Periodic Risk Assessment
Each company would be required to conduct a periodic risk assessment of their information systems. The risk assessment’s structure should allow flexibility for revisions based on technological developments and evolving threats, but should include the following:
- Criteria for the evaluation and categorization of identified cybersecurity risks or threats
- Criteria for the assessment of the confidentiality, integrity, security and availability of information systems, including the adequacy of existing controls
- Descriptions for how identified risks will be mitigated or accepted as part of the cybersecurity program
Institute a Cybersecurity Program
New York State would require each regulated financial services company to maintain a cybersecurity program to protect confidential information. The cybersecurity program could be maintained by the company or by an affiliate as long as all requirements are met.
All documentation relevant to an organization’s cybersecurity program should be made available to the Department of Financial Services upon request. Each program should be based on the required periodic risk assessment and include the following core functions:
- Identify and assess internal and external cybersecurity risks
- Use defensive infrastructure and implement policies and procedures to protect information systems from unauthorized access
- Detect cybersecurity events and respond to any identified events
- Recover from cybersecurity events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations
- Monitoring and testing overall program effectiveness, including an annual penetration test and bi-annual vulnerability assessments
Create Written Cybersecurity Policies and Procedures
Each company would be required to implement and maintain a written policy for the protection of its information systems based on the cybersecurity program. The policy needs to address the following areas:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations
- Network security and monitoring
- Application development
- Physical security
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
For More Information
Unauthorized access to your data can lead to devastating financial, legal and reputational consequences. Having a proactive cybersecurity strategy is not only your best defense against an attack, but if you are a financial services company in New York, it may soon become a requirement to doing business. To learn more information about New York State’s proposed regulations, you can download a copy of the proposal or contact us.
Copyright © 2017, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).