Skip to main content
close search
site logo
Dive Brief

A test case for other states, NY cybersecurity regulations take effect

Published March 1, 2017
By
Contributing Editor

Dive Brief:

  • New regulations went into effect in New York state Wednesday requiring all regulated financial services institutions to have a cybersecurity program in place, appoint a chief information security officer and monitor the cybersecurity policies of third-party providers.
  • The proposed regulations were first revealed in September and set to go live January 1, 2017. But banks and insurers requested a deadline extension and some program adjustments. The final rules offer a less restrictive timeline, including a transitional six-month period for businesses to be in compliance. After that, every regulated financial services company must certify that its cybersecurity program complies with the regulations on Feb. 15 of each year.
  • "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cybercrimes," Governor Andrew Cuomo said in a statement.

Dive Insight:

New York may be the first, but it likely won’t be the last. With cybersecurity concerns top of mind form many state officials, other states will likely follow New York’s lead and implement programs mandating companies and financial institutions to implement cybersecurity programs to protect customers.  

Companies have been less than enthusiastic about the new rules, but the lure of easy money makes the financial services industry an appealing target for cybercriminals. In February 2016, criminals used SWIFT messages to help steal a record-breaking $81 million from the Bangladesh central bank. Raids on banks are viewed as a threat to national security because they undermine public trust in financial firms.

Though most agree the regulations are a step in the right direction, not everyone feels an annual security test is sufficient.

"It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business,"  said Tim Erlin, senior director of IT security and risk strategy for Tripwire.

Recommended Reading

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell