The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.
The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.
“New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.
Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.
Justin Kapahi, vice president of solutions and security at Workplace, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.
“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”
Read more on WealthManagement.com