Recently, the New York Department of Financial Services (“DFS”) released a proposed update to its 2017 “Cybersecurity Requirements for Financial Services Companies" law (also known as “23 NYCRR 500”). While the law only applies to organizations that are licensed in New York, everyone in banking should pay attention to it because it is likely a harbinger of things to come across the country.
Financial institutions have gotten used to regulators prescribing broad, non-specific regulations. These rules normally give the institution some latitude, based on their risk assessment, of what controls they implement. We often need to go to regulators and ask for clarification, and often get vague responses from them because they want to be consistent in their responses. The New York rule (as well as rules in other states) changes that, as it prescribes very specific controls for all covered organizations. Here is a list of just some of the new controls that all organizations will be required to have if they are a “covered entity” of the proposed New York law:
- Internal & external penetration tests.
- Automated vulnerability scans.
- Multifactor authentication required for privileged accounts.
- Multifactor authentication required for third-party portals that contain non-public information.
- Written asset inventory procedures that include documentation of recovery time requirements and end-of-life dates.
- Incident response and business continuity testing must include senior officer involvement.
- Must test ability to restore from backups.
- Must protect backups from unauthorized alteration or destruction.
Obviously, all the controls prescribed are good practices in today’s environment and most institutions likely have implemented most, but institutions that had previously justified not implementing one of them based on a risk assessment will now need to reverse that decision and expend resources to implement them anyway.
As threats continue to escalate, we can expect regulators to move towards more prescriptive regulations in the future. We need to continue to pay close attention to be prepared to act when they do. This could very well result in needing larger staff or in needing to seek outside help when internal staff is already busy. We should also pay attention when new laws are proposed so that we can provide feedback to regulators if they step over a line. At the end of the day, both regulators and bankers want to protect customer assets and information, so it makes sense that we would work together to achieve this goal.