Cybersecurity, also known as information technology security, is the protection of computers, networks, data, and programs cyber threats (cyber threats can be a person or group that attacks another with malicious intent – a threat actor – or things like a virus or flood). It is used to guard the cyberspace of critical infrastructure in the nation, including the Financial Services Sector which is led by the Department of Treasury.
Security can be breached by many different people and threats. According to the Verizon Data Breach Investigations Report, in the past year, breaches were done by outsiders, internet actors, featured parties, involved partners, and involved organized crime groups. Victims of these breaches included financial organizations healthcare organizations, public sector entities, and retail and accommodation.
So how does cyber security affect Financial Services, and why do we need it? Simple: with growing cyber activity in the world, cyber threats and breaches are increasing in the industry. With more cyber threat, companies need cyber security now more than ever. In layman’s terms, cyber security is a must-have form of self-defense for companies; it protects clients’ personal information, trade secrets, day-to-day operations, etc.
In the past, regulations have been set in order to help organizations protect themselves against these threats. For example, the Gramm-Leach-Bliley Act of 1999 helped in protecting large banks. Recently, New York’s Department of Finance set about new regulations which, unlike the act of 1999, protects all financial organizations within the state. They are important because, according to Andrew Cuomo, governor of New York, these regulations will protect not only large banks but small banks and financial service organizations as well, which is quite different than the 1999 act. There has been some criticism of the regulations – mostly that it isn’t needed – but the Final Rule (as the second revision of the proposal was called) was in effect March of this year.
Here are some quick facts about the Regulation itself:
— First state effort of its kind regulating financial service firms and banks
— Similar to federal requirements but with a few more and different details
— Not for federal chartered banks or federal branches of non-US banks
— Regulates “Covered Entities” under the NYDFS
— the regulations impose minimum standards that exceed existing federal standards and introduce new requirements, including obligations to critically evaluate cybersecurity practices to ensure compliance, maintain detailed documentation demonstrating compliance and report cyber events to the New York Department of Financial Services.”
— Minimum Requirements asked of firms:
— Written cybersecurity plan
— Limited access privileges
— Annual risk assessment of information systems
— Limitations on data retention
— Notice to NYDFS cybersecurity regulations superintendent when cybersecurity event happens
You can read more about New York’s cybersecurity regulations here.
Interested to hear more thoughts on the regulations from industry professionals? Join FinTEx for a panel on July 11!