State government officials realize that cyber security needs to be promoted throughout private industry financial sectors, but few have issued any state-wide initiatives to mandate change—until now. The state of New York is enforcing cyber security regulations for financial entities.
The New York State Department of Financial Services is enforcing a new proposal that helps regulate cyber security among financial institutions within the state of New York. Cynthia Larose, a legal expert and chair of Mintz Levin’s Privacy and Data Security Practice who specializes in privacy and data security, recently explained the changes in her blog.
Larose, an experienced attorney who has received numerous awards, including being named among the Diversity Council’s Top 50 Most Influential Women in Technology, states that the proposal “requires financial institutions and insurers to implement strong policies for responding to cyber attacks and data breaches.”
New York’s game-changing proposal helps protect the state from the devastating effects of cyber crime. According to Governor Andrew Cuomo, “this regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
When did the new regulations take effect?
Before New York’s proposal was enforced, it was posted in the New York state registry (on September 28, 2016). Then, it had to be subjected to a 45-day notice and public-commenting period.
What do the new regulations include?
The new regulations mandate that New York-based financial entities do the following:
- Develop and implement a cyber security program that identifies cyber risks, tests for cyber security breaches and responds to cyber security events effectively to restore normal operations.
- Have a written cyber security policy that covers information access and security.
- Select a Chief Information Security Officer to implement, oversee and enforce the new program and its policies.
- Have procedures and policies to ensure the inaccessibility of non-public information that is housed by third-party vendors.
Do the new regulations only affect New York?
Although the regulations are New York-specific, it is highly likely that other states will be adopting similar requirements– and not just for financial services. Industries across the board can expect that there will soon be multiple regulations proposed to beef up cyber security measures and ensure training is in place.
Are the regulations enough?
Although the requirements do mandate annual training and assessments of vulnerability, one important component is still missing– a way to test the effectiveness of the training.
This missing link is a looming issue, regardless of the industry that is involved. For many companies, corporate cyber training may be in place, but the effectiveness of the cyber education remains suspect. Are the employees really digesting the information in a way that will significantly improve cyber readiness? So far, there is little proof that an employee’s name on a training roster will prevent the compromise of private or personal information.
Annual training, such as that indicated in the New York regulation, may quickly be forgotten, and the proof of inadequacy is often a devastating breach of information that will cost thousands—if not millions—of company dollars to address.
While once-a-year training may meet government requirements it goes against recommendations of a number of Security Frameworks such as NIST, ISO, HIPAA and others. These frameworks all agree that content should be amongst other things, engaging, continuous, short, simple and personal. Once a year training offers no way to validate the effectiveness of an employee’s cyber education. In addition, although the lengthy cyber security classes that may comprise the training often include important information, the data presented may not be absorbed because it is not offered in easily digested, bite-sized portions.
If companies want to ensure that they are offering the best protection against employee-based cyber threats, they must not only verify that training is occurring. They must also have proof that it is actually working by measuring and monitoring the training’s effectiveness.