Connect with us

Hi, what are you looking for?



New York State Imposes New Cybersecurity Regulation for Financial Services

New York State Department of Financial Services (DFS) has published its revised proposal for what it calls a ‘first-in-the-nation cybersecurity regulation’ for New York regulated financial services. Publication was delayed by approximately one week following significant pushback from affected organizations on Dec. 22 2016.

New York State Department of Financial Services (DFS) has published its revised proposal for what it calls a ‘first-in-the-nation cybersecurity regulation’ for New York regulated financial services. Publication was delayed by approximately one week following significant pushback from affected organizations on Dec. 22 2016.

“This updated proposal (PDF),” announced Financial Services Superintendent Maria T. Vullo,  Dec. 28, “allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

There have been many minor changes to the original proposal first released in September 2016. These have attempted to make the requirements less onerous without weakening security. For example, it is now less prescriptive and individual implementation “shall be based on the Covered Entity’s Risk Assessment.” Annual penetration testing is now required “absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities.”

However, DFS has made it clear that over the final 30-day comment period, only issues not already raised will now be considered. The current proposed document is likely to be the final regulation; and there will be little time for regulated organizations to ensure their compliance before it becomes effective on March 1, 2017. The requirement for annual compliance reports will be effective from February 15, 2018.

At a hearing on December 22, New York bankers raised a number of continuing concerns. These include the cost of compliance (which will divert funds from other priorities); the apparent requirement to employ a CISO (which is seen as an interference in the way organizations run their business); and potential conflict with other regulations (such as the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST).

The new 14-page DFS regulation is effectively a very detailed high level security policy document. It states what is required from financial services rather than how the requirements should be implemented. As such it is yet another set of compliance regulations that relevant companies need to meet.

There is a strong body of opinion among security officers that too many regulations can impinge on actual security efforts by diverting effort, and funds, away from the front line. Many suggest that regulations should focus around the NIST security framework; perhaps by persuading NIST to add specialist appendices. This would provide a single go-to source for what needs to be done.

In this instance, two of the main new requirements for New York financial institutions would be the need to employ a CISO; and the need for annual reports, effectively signed-off by the board with a certification document to be sent to the DFS.

Advertisement. Scroll to continue reading.

Section 500.04 requires that ‘covered entities’ must designate a ‘qualified individual’ who is described as a Chief Information Security Officer (CISO). From that point onwards, that person is described as the CISO. This alone raises a number of issues. What qualifications are necessary for a CISO? Must the organization concerned redefine its current information security officer as a CISO?

The new requirement for annual compliance reports requires that the CISO “shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body.” This will effectively be a statement on how the regulation is implemented, including details on ‘material Cybersecurity Events’.

This much is already considered good practice, but frequently doesn’t happen. Even where a report is delivered, there is no guarantee that the board will take much notice. The new regulation, however, requires that on February 15, 2018 and annually thereafter, the organization’s Board of Directors or a senior officer confirm, or certify, to the DFS with a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.”

The purpose is clear and beneficial. The new regulation seeks to both define good security practices and ensure that the board is responsible for their implementation. It marks a new process where regulators don’t simply stand outside of an organization with policy guidelines, but actually impose new business practices on the regulated entities.

Learn More at SecurityWeek’s CISO Forum at the Ritz-Carlton, Half Moon Bay

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...