Faced with the growing threat of cyber attacks and the challenges involved in recovering from various cybersecurity events, New York state’s authorities have rolled out new cybersecurity regulations that apply to financial institutions operating within the state.
New York’s Department of Financial Services (DFS) has issued the final Cybersecurity Requirements for Financial Services Companies, affecting “Covered Entities”, defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, establishing a set of standards that have to do with reporting breaches to regulators, in addition to implementing specific cybersecurity policies.
Cybersecurity Programs and Incident Response Plans
The new regulation aims to protect New York’s banks and insurance providers against cyber attacks, along with protecting sensitive consumer data. To that end, the rules - that went into effect on March 1 - prescribe a wide-ranging set of requirements for financial services companies in terms of specific steps they are supposed to take to be better prepared for cybersecurity incidents and how and when they must notify authorities of cyber attacks on their computer systems and networks.
According to the regulations, financial services companies are required to create a cybersecurity program that is expected to protect their information systems against cyber attacks. A covered entity’s cybersecurity program should be focused on identifying internal and external cybersecurity risks, detecting cybersecurity events, responding to detected cybersecurity events, recovering from cybersecurity events, and complying with reporting obligations.
As far as cybersecurity policies are concerned, covered entities are required to implement them in order to be able to address systems and network security, information security, data governance, customer data privacy, risk assessment, and incident response, among other aspects of cybersecurity.
When it comes to incident response plans, the new rules state that reporting cybersecurity incidents to regulators must be a paramount part of those plans. Regulated entities are required to confirm they gathered documentation regarding cybersecurity events and report them to various government and supervisory bodies, as part of their previously devised incident response plans.
Compiling documentation in reference to cybersecurity events, creating appropriate reports, and notifying authorities can be a tedious task for any organisation’s CSIRT. Companies can face tough consequences if they don’t complete the documentation in a timely and proper manner. Companies often require the solution of a cyber incident response platform that can generate reports on cybersecurity incidents automatically and in various formats, and is also capable of tracking and collecting evidence, helping their cybersecurity teams compile the required documentation faster and effortlessly.
These types of platforms also can also help companies’ CSIRTs predict and detect cybersecurity breaches and respond as fast as possible, which is one of the main capabilities the new cybersecurity regulations require from covered entities.