Dive Brief:
- New regulations went into effect in New York state Wednesday requiring all regulated financial services institutions to have a cybersecurity program in place, appoint a chief information security officer and monitor the cybersecurity policies of third-party providers.
- The proposed regulations were first revealed in September and set to go live January 1, 2017. But banks and insurers requested a deadline extension and some program adjustments. The final rules offer a less restrictive timeline, including a transitional six-month period for businesses to be in compliance. After that, every regulated financial services company must certify that its cybersecurity program complies with the regulations on Feb. 15 of each year.
- "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cybercrimes," Governor Andrew Cuomo said in a statement.
Dive Insight:
New York may be the first, but it likely won’t be the last. With cybersecurity concerns top of mind form many state officials, other states will likely follow New York’s lead and implement programs mandating companies and financial institutions to implement cybersecurity programs to protect customers.
Companies have been less than enthusiastic about the new rules, but the lure of easy money makes the financial services industry an appealing target for cybercriminals. In February 2016, criminals used SWIFT messages to help steal a record-breaking $81 million from the Bangladesh central bank. Raids on banks are viewed as a threat to national security because they undermine public trust in financial firms.
Though most agree the regulations are a step in the right direction, not everyone feels an annual security test is sufficient.
"It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business," said Tim Erlin, senior director of IT security and risk strategy for Tripwire.