New York's Department of Financial Services (NYDFS) recently announced that it has launched a dedicated "Cybersecurity Division." According to the press release, the new unit is the "first of its kind to be established at a banking or insurance regulator" and will “protect New York’s financial services industry and consumers from the ever-growing threat of cyberattacks.”
Cybersecurity incidents are a major threat to corporations today, and NYDFS has often been a leader when it comes to cybersecurity efforts and other regulatory concerns. As technology continues to advance and become more sophisticated, new efforts must be made to mitigate challenges.
Requirements for Regulated Financial Institutions in New York
In March 2017, Governor Andrew M. Cuomo announced the nation's first cybersecurity regulation to protect New York’s consumers and the financial services industry. Under the regulations, New York financial institutions that are regulated by the Department of Financial Services must establish and maintain a cybersecurity program that mitigates the risk of a cyberattack.
To implement an effective cybersecurity program, a covered entity must first conduct a risk assessment of any non-public information that is obtained and stored on the company’s information system. Using that assessment, the business can then build a program that functions to:
- Detect and evaluate internal and external cybersecurity risks that compromise the security of electronically stored non-public information
- Utilize internal policies and procedures as well as security mechanisms to guard non-public information from unauthorized access
- Detect “cybersecurity events,” which the regulations define as “… any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System”
- Respond to cybersecurity events to diminish adverse effects and damages
- Recover and restore normal operations and services following a cybersecurity event
- Meet applicable regulatory reporting obligations
The regulations provide specific guidance on how a covered entity can meet the requirements of each of these steps.
FTC Guidance on Reducing Cybersecurity Risk
At the federal level, the guidance for building an effective cybersecurity program is similar to New York’s. The Federal Trade Commission (FTC) promotes the National Institute of Standards and Technology (NIST) Cybersecurity Framework to help businesses understand and manage their risk for data compromises.
The framework identifies five key elements of a sound cybersecurity program:
- Identify – Companies should assess the areas of the business that could be at risk for a data compromise. A list should be made identifying vulnerabilities, including equipment, software, and digital devices. Using this information, policies and procedures should be established that outline the responsibilities of those individuals who access non-public information and procedures to follow that prevent a data compromise.
- Protect – A business needs to take steps to protect non-public information by implementing processes such as controlling who has access to sensitive information, utilizing security software and encryption, establishing safe data disposal, and conducting regular security awareness training.
- Detect – Once policies and safe procedures are in place, the company needs to continually monitor digital devices for possible cyberattacks and compromises. When a risk is detected, it should be quickly and thoroughly investigated.
- Respond – A business should have a plan to respond to possible data compromises. The plan should include procedures that address notifying affected customers, alerting the appropriate authorities, and keeping the business up and running after a possible breach.
- Recover – Finally, a cybersecurity program needs to formulate a recovery process that repairs affected devices and communicates recovery efforts to employees and impacted consumers.
As with any good plan, a cybersecurity program should be continually tested, reviewed, and updated so that when a data compromise is detected, its provisions are able to be carried out in a way that most effectively mitigates risk.
Cybersecurity for Every Business
During the last several years, cybercriminals have been targeting technological vulnerabilities in order to access non-public data. Those who are successful can cause devastating financial loss to both businesses and their clients. Though financial services are a prominent area of focus for cyberattacks, all businesses are at risk and should implement a cybersecurity program to minimize damages.
Once implemented, a program is only effective when it is adhered to by all personnel. That’s why security awareness training is an important tool of any program, because employees can learn by completing the simulations. A company can never be over-prepared to mitigate risk and ensure data security for consumers. Using state and federal agency guidelines, such as those published by NYDFS and the FTC, businesses can proactively protect themselves and their customers from a data breach of private information.