This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » How New York is Shaking Up Cybersecurity
Cyber Security NewsBanking/Finance/InsuranceCyber TacticsCyberColumns

How New York is Shaking Up Cybersecurity

How New York is Shaking Up Cybersecurity
How New York is Shaking Up Cybersecurity Author
How New York is Shaking Up Cybersecurity
How New York is Shaking Up Cybersecurity Author
September 1, 2017
Steven Chabinsky
KEYWORDS cyber security education / Financial Cyber Security / New York City security / security compliance
Reprints
No Comments

Something potentially groundbreaking is happening in New York, and its impact is being felt globally. Still, if you’re not in the financial services industry, and specifically regulated by the New York State Department of Financial Services (NYDFS), you may have missed it.

What is this change? In short, it’s the first of what may become a wave of stringent state cybersecurity regulations that impose “minimum standards” on industry. Let’s briefly explore what the new rule looks like, and what this recent development may mean for the future of cybersecurity.

 

Start Spreadin’ the News

After a public comment period, NYDFS issued a set of regulations called “Cybersecurity Requirements for Financial Services Companies.” The individual requirements are being phased in over two years, and the first transition period, which just occurred on August 28, requires the following:

  • Formal Risk-Based Cybersecurity Program
  • 14-Point Cybersecurity Policy
  • Seven-Point Incident Response Plan
  • A Qualified Chief Information Security Officer
  • Continuously Trained Cybersecurity Personnel
  • Limited User Access Privileges
  • 72-Hour Notice of Certain Events

Fast approaching are mandatory risk assessments, continuous monitoring or annual penetration testing and bi-annual vulnerability assessments, use of multi-factor authentication and encryption, systems audit trails, applications security, vendor review and limitations on data retention. Oh, and let’s not forget, a senior official (or the Board) must certify compliance annually.

 

Make a Brand New Start of It

Although NYDFS could have adopted the NIST Framework instead of creating something new, it didn’t. That can spell trouble. You’ll recall that the United States does not have a single, national data breach notification law, having left the issue to be handled on a state-by-state basis. The result is that 48 states now have their own laws, and businesses are left to sort them all out. Are we about to face the same headache for cybersecurity requirements? It’s quite possible, and there already is some indication that State Attorneys General are looking to the NYDFS model as “top of the heap” when drafting data breach settlements against parties that are not financial institutions.

 

If I Can Make It (Apply) There, I’ll Make It (Apply) Anywhere

It’s true that NYDFS can enforce the regulation only against entities it directly supervises. However, the regulation’s impact can be felt anywhere. That may seem counterintuitive, but the reason is simple. A number of supervised entities rely upon a parent or affiliated company outside of New York (and perhaps even outside the United States) for their network infrastructure and global cybersecurity operations. Although an affiliate may fall outside of Albany’s supervisory grip, all or part of the affiliate’s program – potentially operated halfway around the world – can fall under New York’s microscope and require onerous and sensitive disclosures.

 

It’s Up to You

It is common to map a company’s cybersecurity program against international, national and industry frameworks and controls. If you fall under NYDFS supervision, New York now needs a column of its own. Otherwise, it’s up to you, at least for now.

Subscribe to Security Magazine

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Chabinsky-2016-200px

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Related Articles

How Continuous Is Continuous Monitoring?

Why Cybersecurity is a Business Necessity

Is Your Vendor Risk Management Program Working?

How to Reduce the Insider Cyber Threat

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

Globe

Which Countries Have the Worst and Best Cybersecurity?

Cyber Doors

2018 Set a New Record for Security Vulnerabilities

cyber-SMB

8 Vulnerabilities Penetration Testers Recommend You Address in 2019

20180222ENR_Skyward_Drones_360x184customcontent

Events

February 19, 2019

Drones and Surveillance at MetLife Stadium

Unmanned aerial systems pose a legitimate threat to sporting events in America. The devices are not only becoming cheaper and easier to own, but technology has advanced to such a point that virtually anyone — hobbyist or terrorist — can fly one. MetLife Stadium is home of the New York Jets and New York Giants, in addition to numerous entertainment events and concerts each year.

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing