News Labels

First State-Mandated Cybersecurity Law Goes Into Effect In New York

Posted by In the News No Comments

View on

Unlike guidelines from the SEC and FINRA, New York details specific actions and names a hard deadline for compliance. 

The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.

The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.

“New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.

Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.

Justin Kapahi, vice president of solutions and security at External IT, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.

“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”


External IT Brings Cybersecurity Training

Posted by In the News No Comments

View on

External IT, a technology firm that provides cloud-based cybersecurity and information technology for financial services, is launching a new kind of SAT for advisors, one without an essay portion. The Security Awareness Training program is designed to educate advisors and their employees on best practices for using corporate IT systems. The program includes phishing email tests, reporting, online training and results of the evaluation delivered to the firm’s compliance manager. External IT says the program addresses the most commonly overlooked source of data breaches: employee-related negligence. “Information is shared through non-secured programs, passwords are being carelessly generated — the list goes on,” said Justin Kapahi, External IT’s technical director. “We’ve developed SAT to provide advisors with clear security guidelines to ensure their information is protected from the inside-out, at every level.”