Ratcheting Up Financial Service Industry Cyber Security Regulations

Cyber security regulations and requirements continue to be strengthened, yet data breaches continue to occur. Even if you are compliant with all the requirements, including the updated ones for the State of New York’s Department of Financial Services (DFS) entities, you are not immune from becoming the next headline. There is a common denominator that can undermine the best designed security policy or the toughest requirement – people! Specifically people who do not have sufficient cyber security training and focus.

While the DFS regulations are New York centric, other states also continue to enhance regulations and requirements. This particular update applies to all entities with a DFS “license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” A few key points are:

  • Limitations and Data Retention: What is retained and for how long is no longer only concerned with keeping records for a sufficient length of time, but also with the destruction of customer data in a timely manner to protect people from having personally identifiable information (PII) floating about in the ether. Combined with an enhanced definition of non-public information from, and this becomes more of a challenge.
  • The CISO and Application Security: In addition to specifying that the CISO role must be assigned to an individual and all the rights and responsibilities that go with the role, a new expectation in Application Security is that the CISO will have a direct role in reviewing and approving user entitlements which are defined for use in application security. Gone are the days when the supervisor or department head alone would approve or deny access.
  • Cyber Security Personnel Requirements: Certification in security disciplines is no longer just a “nice to have”, but the DFS regulations state that attending training, conferences, and obtaining appropriate certifications is to be expected. Active, ongoing education and participation in social organizations centered on cyber security will be the expected norm. Of course, just having the certification is not sufficient. One must keep security in mind and act on what they know.
  • Training and Monitoring: In their Financial Services Alert which contains a more complete summary of the new DFS regulations, Mazars USA, a prominent CPA firm with a strong risk management practice, summarized the training aspect of the new regulations saying “Annual training in cybersecurity is no longer sufficient. A program is required that raises awareness, is supported by periodic reinforcement, and results in changed behavior and effectiveness in order to mitigate risk. In our experience, internal training solutions require significant management effort are exposed to major gaps, and have been criticized during regulatory reviews. We suggest clients consider solutions such as those offered by ThreatReady Resouces”

Regardless of how many regulations are added, or how stringent security controls become, there will always be a real threat from employees becoming lax in their diligence, or duped by social engineers. Now even regulators are beginning to recognize the need for security awareness training that focus on qualitative results. Companies today need to compare available training options and choose a solution that utilizes techniques which produce long-term behavior changes to combat this risk. Go beyond a traditional annual review program and implement ongoing safe computing training providing your staff the awareness and focus they need to keep you and your data safe.