Skip to main content
close search
site logo
Dive Brief

A test case for other states, NY cybersecurity regulations take effect

Published March 1, 2017
By
Contributing Editor

Dive Brief:

  • New regulations went into effect in New York state Wednesday requiring all regulated financial services institutions to have a cybersecurity program in place, appoint a chief information security officer and monitor the cybersecurity policies of third-party providers.
  • The proposed regulations were first revealed in September and set to go live January 1, 2017. But banks and insurers requested a deadline extension and some program adjustments. The final rules offer a less restrictive timeline, including a transitional six-month period for businesses to be in compliance. After that, every regulated financial services company must certify that its cybersecurity program complies with the regulations on Feb. 15 of each year.
  • "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cybercrimes," Governor Andrew Cuomo said in a statement.

Dive Insight:

New York may be the first, but it likely won’t be the last. With cybersecurity concerns top of mind form many state officials, other states will likely follow New York’s lead and implement programs mandating companies and financial institutions to implement cybersecurity programs to protect customers.  

Companies have been less than enthusiastic about the new rules, but the lure of easy money makes the financial services industry an appealing target for cybercriminals. In February 2016, criminals used SWIFT messages to help steal a record-breaking $81 million from the Bangladesh central bank. Raids on banks are viewed as a threat to national security because they undermine public trust in financial firms.

Though most agree the regulations are a step in the right direction, not everyone feels an annual security test is sufficient.

"It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business,"  said Tim Erlin, senior director of IT security and risk strategy for Tripwire.

Recommended Reading

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
truCX Launches Groundbreaking Partner Portal, Empowering CX Consultants and Trusted Advisors w…
From truCX
October 30, 2024
Newgen Software reports Revenues from operations at Rs 361 cr in Q2 FY’25, up 23% YoY
From Newgen Software
October 16, 2024
Cosentino Drives Business Transformation with AI Powered by Celonis Process Intelligence
From Celonis
October 23, 2024
Productboard Launches AI-Powered Productboard Pulse To Integrate Voice of Customer Into Produc…
From Productboard
October 29, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell