NYFSD Cyber regulations and their impact on financial institutions

As cyber threats become more rampant, financial institutions are increasingly targeted by highly skilled and motivated criminals. While the new cyber security regulations set forth by The New York State Department of Financial Services (NYSDFS)--which went into effect March 1, 2017--aim to protect critical assets, they also have an impact on the cyber security practices and procedures of these institutions.

NYSDFS Compliance
New regulations don't provide much time for financial institutions to achieve compliance.

New cyber security regulations: who's impacted & how?

The new standards require banks, insurance companies, and other financial services institutions regulated by the NYSDFS to establish and maintain a cybersecurity program that will protect the private information and data they collect. This includes not only sensitive customer information, but crucial business-related information as well.

Additionally, the newly adopted regulations, 23NYCRR 500, require each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. That program must include consistent monitoring and ongoing testing, including periodic Penetration Testing and vulnerability assessment based upon the covered entity’s risk assessment.

Establishing user controls in order to limit user access privileges, periodically reviewing such access privileges, and providing personnel with on-going cybersecurity awareness training are also minimum requirements for the covered entity.

These regulations, in combination with using encryption to protect data at rest and in motion, are all standards that the defined covered entities must be able to demonstrate they are in compliance with 180 days from the March 1, 2017 effective date.

How can you become compliant?

In order to be in compliance, these entities must designate a Chief Information Security Officer, either in-house or outsourced to a third party, and must report defined cybersecurity events, which includes unsuccessful attempts to access an information system, to the New York DFS within 72 hours of occurrence.

Given the continued attack on high profile targets, the ability for enterprises to detect and respond to a breach has become increasingly difficult. Demonstrating compliance with these new regulations can help to thwart attacks, but detecting and responding to both internal and external cybersecurity threats means that these institutions must rely on actionable and accurate cyber threat intelligence.

Threats change every day, and the threat landscape is constantly expanding. Unless a threat pattern has been identified, it is nearly impossible to detect. That’s why it’s important to rely on service providers that specialize in detecting suspicious behavior across different vectors using the most innovative and reliable threat intelligence technologies.

Real-time threat intelligence that is accurate and actionable is one of the mechanisms financial services industries should be using to identify suspicious activity both internally and externally, which includes employees, customers, and 3rd party vendors.

Given that covered entities must also verify the adequacy of the cybersecurity practices of their third party vendors, threat intelligence services also cover and identify anomalous user behavior throughout their supply chain.

IntSights offers its customers a cyber threat intelligence service based on machine-learning algorithms that scan multiple darknet and clear-web sites and can quickly and accurately identify the leakage of personal data and thus enable timely breach notification, in compliance with NYSDFS regulations.

To schedule a demo please contact us at: [email protected]

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.