New York Proposes Extensive Data Security Regs for Financial Services Companies, Begins 45-Day Comment Period

  • Email
  • Print
  • Printing Articles

    1. Click here to print!
    2. ...or print directly from your browser by choosing File > Print... from the menu or by pressing [Ctrl + P]. Our printer-friendly stylesheet will make sure extraneous website stuff isn't printed.
    3. You're done!

    Close this message.

  • Comments
  • RSS

New York State has released new proposed Cybersecurity Requirements for Financial Services Companies.  You can read the full proposal here.

According to the document, “the regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

Among the requirements are written policies and procedures that are regularly approved by the company’s Board, and cover the following:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and third-party service provider management
  13. Risk assessment
  14. Incident response

Other requirements include:

  • the designation of a qualified Chief Information Security Officer
  • annual penetration testing
  • quarterly vulnerability assessments
  • maintenance of an audit trail
  • management of access privileges
  • annual review of application development security procedures
  • annual risk assessments
  • regular training of all cybersecurity personnel
  • policies and procedures addressing third party information security
  • a process requiring multi-factor authentication to access systems or data
  • policies and procedures for timely destruction of particular data

The proposal states that it would become effective in January 1, 2017, with the requirement for all Covered Entities to submit an annual Certification of Compliance with the New York State Department of Financial Services Cybersecurity Regulations starting January 15, 2018. There would be a 180 day transitional period from the effective date for Covered Entities to comply.

There is a 45-day comment period on the proposal.

  • Email
  • Print
  • Printing Articles

    1. Click here to print!
    2. ...or print directly from your browser by choosing File > Print... from the menu or by pressing [Ctrl + P]. Our printer-friendly stylesheet will make sure extraneous website stuff isn't printed.
    3. You're done!

    Close this message.

  • Comments
  • RSS

Posted in Collection Technology, Data, Data Security, Featured Post, New York, State Licensing .

×
Subscribe to our email newsletters

Continuing the Discussion

We welcome and encourage readers to comment and engage in substantive exchanges over topics on insideARM.com. Users must always follow our Terms of Use. Also know that your comment will be deleted if you: use profanity, engage in any kind of hate speech, post an incoherent or irrelevant thought, make a point of targeting anyone, or do anything else we find unsavory. Your comment will be posted under your current Display Name, shown below. If you'd like to change your Display Name, you must update it on the My Profile page.

Leave a Reply