In a November 11, 2015 letter to other regulators, New York Financial Services Superintendent Anthony Albanese said that his agency has surveyed more than 150 banks and 43 insurers since 2013 and has begun conducting risk assessments of financial institutions. They have concluded that “robust regulation” is needed and he urged other state and federal authorities to collaborate on establishing a framework of cyber defenses for the financial sector.
“First, although financial institutions have taken significant steps to bolster cyber security efforts in recent years, companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats,” Albanese wrote. “Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers.”
What might New York’s key proposals entail?
Written cybersecurity policies implemented in areas ranging from access controls, customer privacy and data governance to incident responses and disaster recovery planning.
Managing third-party providers would require multifactor identity authentication, use of data encryption, loss indemnification, warranties, incident notices and audits.
Regulated banks and insurers would have to conduct annual penetration testing and quarterly vulnerability assessments and maintain an audit trail that logs privileged user access and protects logs from tampering.
“Each covered entity would be required to immediately notify the department of any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident,” Albanese wrote.
“It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions,” Albanese wrote.