The New York Department of Financial Services (DFS) has proposed regulations to ensure that institutions better protect themselves.
While praising the work that members have done to have ‘proactively increased their cybersecurity programs’, the regulation will require each company to assess its specific risk profile and design a program that addresses its risks in a robust.
It read: “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted. While not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.”
It encouraged senior management to ‘take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations’.
It claimed that it is critical that ‘all regulated institutions’ to move swiftly and urgently to adopt a cybersecurity program, and for all regulated entities to be subject to minimum standards with respect to their programs.
The DFS claimed that ‘adoption of the program outlined in these regulations is a priority for New York State’.
Commenting, Ed Adshead-Grant, general manager of payments at Bottomline Technologies, said: “In its current form, the cybersecurity regulation proposed by New York State for banks and insurers is missing the mark, as it fails to address one key consideration: open banking. With the adoption of the PSD2 regulation in Europe, we’re already seeing financial institutions across the pond implementing new technologies like open APIs, and it’s clear that the trend will come to the US as well.
“The introduction of these technologies will give way to new security threats, requiring banks and insurers to implement real-time monitoring systems to identify and flag suspicious activity. While the proposed regulation’s requirement of multi-factor authentication is a solid step toward heightening security, that alone will not solve security problems if auditors are not watching how users – both internally and externally – are behaving in real-time.”