Cybersecurity and Data Privacy: Potential New Cybersecurity Regulations for Financial Institutions and Insurance Companies

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-and-data-privacy-90212/

On the heels of recent high profile cyber-attacks against financial
institutions and insurance companies, the New York State Department of
Financial Services released a letter on November 9, 2015 that outlines
proposed cybersecurity regulations currently under consideration.(1)

The Department is proposing to require all "covered entities"(2) to
develop, implement and maintain a cybersecurity program to address twelve
identified aspects of cybersecurity planning and readiness, including:
information security, data governance and classification, access controls
and identity management, business continuity and disaster recovery
planning, capacity and performance planning, system operations and
availability, system and network security, system and application
development and quality assurance, physical security and environmental
controls, customer data privacy, vendor and third-party service provider
management and incident response.

Businesses subject to the Department’s proposed regulations would be
expected to stay abreast of new cybersecurity threats and countermeasures
and to train and employ personnel to adequately manage their cybersecurity
risks. The Department’s proposal would allow covered entities to use
outside contractors or vendors to assist them in complying with the new
regulations, however, each covered entity would be required to designate a
qualified employee to serve as its Chief Information Security Officer
(CISO). In addition to overseeing and implementing the covered entity’s
cybersecurity program, the CISO would have the responsibility of preparing
an annual report assessing the state of the program and known cybersecurity
risks to be reviewed by the covered entity’s board of directors and
submitted to the Department.

The Department’s letter indicates that determinations regarding specific
security measures to be undertaken will, for the most part, be left to
individual covered entities. At a minimum, however, the Department will
likely require covered entities to adopt multi-factor authentication in
connection with providing access to their internal systems or data from
external networks, including customer access via web-based applications or
other privileged access to database servers containing confidential
information. The proposed regulations would also require covered entities,
as part of their cybersecurity program, to conduct annual penetration
testing and quarterly vulnerability assessments, and to maintain a system
to collect, store and protect access data in order to preserve an audit
trail.

Lastly, businesses would be required to notify the Department of any
security breach (i) that has a reasonable likelihood of materially
affecting the normal operation of the entity, (ii) which involves the
compromise of nonpublic personal health information, private information,
payment card information or biometric data, or (iii) which otherwise
triggers a notice requirement under New York law.

Many companies in the financial services business have already implemented
cybersecurity programs in order to better protect themselves against
possible liability resulting from a breach. Existing cybersecurity measures
should be reviewed, however, to address new developments and increased
threats, and with an eye towards complying with enhanced government
regulation in the cybersecurity arena. The proposals outlined by the New
York State Department of Financial Services in its recent letter provide
useful guidance as to what will be expected from companies in this
constantly evolving area of the law.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!