New cybersecurity regulations go into effect for financial services companies in the state of New York on March 1, 2017. And the time to act is now.
Announced in September last year by Governor Andrew M. Cuomo, officials hope the regulations will help financial institutions provide better safeguards—and thus, provide better protection for citizens and their financial assets. If all goes well, other states could follow their lead. Why the heightened focus on cybersecurity for financial services companies?
When financial institutions go down, the impact can be devastating.
Anyone remember the economic collapse of 2008? Real estate values plummeted; investment accounts were devastated; millions of jobs were lost. The impact was so massive and widespread, who could forget?
From July 2008 to March 2009, the U.S. lost $7.4 trillion in stock wealth and $3.4 trillion in real estate wealth, according to the Federal Reserve (as reported by Pew Charitable Trusts). People’s lives and their financial stability were disrupted in ways not seen since the Great Depression. While it may be a large-scale, extreme example, the fallout from the collapse does serve as a grim reminder of what can happen when the solvency of our financial institutions is threatened.
Cyber attacks pose a threat that can’t be underestimated.
Cyber crime is a multi-billion dollar a year business. And all organizations, regardless of size, industry, or reputation, are susceptible to being attacked. Cyber thieves are indiscriminant that way. First and foremost, they choose targets they perceive as soft and vulnerable; ones they deem to have invested little in cybersecurity protection and, thus, are easy to penetrate.
For small businesses in particular, that poses a significant risk. According to Symantec, attacks on small businesses are increasing, rising 9% in 2015 over the previous year. And those attacks can have a devastating impact. In fact, data reported by the National Cyber Security Alliance suggests 60% of small businesses fail within six months after experiencing a significant cyber breach.
Even more concerning is the fact that cyber attacks continue to become more sophisticated and complex. Simple protection measures, while once effective, are no longer sufficient to guard against today’s advanced threats. And mounting a cyber assault today has never been easier for would-be cyber criminals with the presence of the Dark Web and nefarious offerings like “Ransomware-as-a-Service.”
Cybersecurity is a universal need.
Operating under the watchful eye of the Securities and Exchange Commission (SEC), large financial institutions typically have robust cybersecurity programs in place today. But smaller institutions, often less scrutinized than their larger counterparts, may not. However, the risk to these smaller organizations and their customers is no less significant.
With that in mind, the New York Department of Financial Services issued the new regulations, seeking to provide better protection for citizens and their financial assets by requiring all financial services companies to put more stringent security controls in place. In short, effective March 1, 2017, these firms will be required to:
- Ensure the basic components of a functional cybersecurity strategy are implemented by:
- Establishing a formal cybersecurity program
- Adopting a written cybersecurity policy
- Documenting an incident response plan to respond to and recover from any cyber-related issues or breaches
- Designate a Chief Information Security Officer (CISO) to oversee all aspects of the cybersecurity program.Designate a Chief Information Security Officer (CISO) to oversee all aspects of the cybersecurity program.
- Ensure the security of information shared with third parties
- Adhere to additional requirements, including a security risk assessment, annual penetration testing and vulnerability assessments, and ongoing cybersecurity awareness training
For details on all the requirements, click here.
Though these regulations specifically apply to financial services companies in the state of New York, the guidelines contained within them do not. Cybersecurity is something every organization needs. And any company in any industry looking to improve their cybersecurity defenses can benefit from following these guidelines.
The clock is ticking.
As I mentioned, the new regulations take effect on March 1. And according to the requirements, institutions have six months (180 days) to comply (subject to the limited exemptions specified within the regulations). So the time to act is now.
Knowing where you currently stand is the first step. Take a close look at your risks, assess the integrity of your information systems, and evaluate your existing controls. After that, you’ll have a good idea what to do next.
Looking for help navigating the new regulations and laying out a plan for compliance? ePlus has you covered. Click here to learn more about our New York Department of Financial Services cybersecurity risk assessment and Virtual CISO offering or contact your ePlus Account Executive.