Rules ‘go beyond’ what SEC, FINRA have required of financial firms
Gov. Andrew Cuomo of New York announced Thursday final regulations that require financial services institutions to establish and maintain strict cybersecurity standards and to report them to the state’s Department of Financial Services.
DFS first proposed the regulation in September and was met with strong opposition from industry groups that said it was too strict. The mandate was revised in December to push back the compliance date. The regulation will take effect on March 1, and financial firms in New York will have until Sept. 1 to comply.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks,” Cuomo said in a statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes.”
Indeed, the mandate prescribed by the New York DFS “goes beyond even what the SEC and FINRA have put forth,” according to John Cunningham, chief information officer and chief information security officer for Docupace.
Financial firms are being asked to “open the kimono” on their cybersecurity practices and report annually to the state superintendent on gaps in their firms and what they’re doing to remediate them, he said. Those reports must be retained for five years, Cunningham said in an interview with ThinkAdvisor. Cybersecurity programs must also include policies for regularly disposing of nonpublic information it no longer needs.
Firms must report all cybersecurity events, even unsuccessful ones, within 72 hours of discovery, he added.
Justin Kapahi, vice president of solutions and security at External IT, called the mandate “one of the more prescriptive action summaries I’ve seen in a while.”
“Right off the bat, you see that much more prescriptive about the kind of IT policies you have to have, exactly what should make up those IT policies, and how you’re supposed to use those policies to measure your risk. That’s something that the SEC infers, but [the New York DFS] actually prescribes,” Kapahi told ThinkAdvisor.