This article originally appeared at The WHIR
The New York Department of Financial Services has sent a letter to Financial and Banking Information Infrastructure Committee members outlining potential new cybersecurity regulations. The letter (pdf), dated Monday, provides a review of the assessment measures taken by the organization, as well as proposed regulatory criteria including the establishment of policies and procedures, use of multi-factor authentication, and employment of Chief Information Security Officers and other cybersecurity personnel.
The letter by Acting Superintendent of Financial Services Anthony Albanese is part of an ongoing process which previously introduced cybersecurity questions into the regulatory approval process and a proposal for new legislation from state attorney general Eric T. Schneiderman. The FBIIC consists of regulators and industry groups including the Securities Exchange Commission, the Federal Deposit Insurance Commission, and the Federal Reserve Bank of New York.
Surveys and analysis conducted beginning in 2013 by the NYDFS began a financial cybersecurity review process, which continued with risk assessments and a further survey, this time relating to interactions with third-party service providers. That process has produced the set of regulations in eight areas outlined in the letter.
The NYDFS proposes that financial institutions adopt:
- Cybersecurity policies and procedures addressing 12 topics
- Third-party service provider contracts include six security provisions
- Multi-factor authentication for both customers and employees
- Chief Information Security Officers
- Application security procedures, guidelines, and standards
- Cybersecurity personnel and intelligence, which could be provided by a third party
- Audit trail systems
- Notice of cybersecurity incident requirements
Albanese notes in the letter that the list is neither final nor complete, and that additional dialogue among industry and regulatory stakeholders is necessary to finalize the new requirements.