New York Proposes New Cybersecurity Regulations for Financial Institutions

Proposed criteria for policies and procedures, use of multi-factor authentication, employment of CISOs and other cybersecurity personnel

Chris Burt

November 12, 2015

2 Min Read
New York Proposes New Cybersecurity Regulations for Financial Institutions
Traders work on the floor of the New York Stock Exchange (NYSE) in July 2015. (Photo by Spencer Platt/Getty Images)



This article originally appeared at The WHIR

The New York Department of Financial Services has sent a letter to Financial and Banking Information Infrastructure Committee members outlining potential new cybersecurity regulations. The letter (pdf), dated Monday, provides a review of the assessment measures taken by the organization, as well as proposed regulatory criteria including the establishment of policies and procedures, use of multi-factor authentication, and employment of Chief Information Security Officers and other cybersecurity personnel.

The letter by Acting Superintendent of Financial Services Anthony Albanese is part of an ongoing process which previously introduced cybersecurity questions into the regulatory approval process and a proposal for new legislation from state attorney general Eric T. Schneiderman. The FBIIC consists of regulators and industry groups including the Securities Exchange Commission, the Federal Deposit Insurance Commission, and the Federal Reserve Bank of New York.

Surveys and analysis conducted beginning in 2013 by the NYDFS began a financial cybersecurity review process, which continued with risk assessments and a further survey, this time relating to interactions with third-party service providers. That process has produced the set of regulations in eight areas outlined in the letter.

The NYDFS proposes that financial institutions adopt:

  • Cybersecurity policies and procedures addressing 12 topics

  • Third-party service provider contracts include six security provisions

  • Multi-factor authentication for both customers and employees

  • Chief Information Security Officers

  • Application security procedures, guidelines, and standards

  • Cybersecurity personnel and intelligence, which could be provided by a third party

  • Audit trail systems

  • Notice of cybersecurity incident requirements

Albanese notes in the letter that the list is neither final nor complete, and that additional dialogue among industry and regulatory stakeholders is necessary to finalize the new requirements.

Also this week US prosecutors announced charges against conspirators in the 2014 JP Morgan data breach, which remains the most high-profile hack ever on a financial institution.

This first ran at

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like