|
A new regulation, which takes effect on March 1, requires companies supervised by New York’s Department of Financial Services to establish and maintain a cyber security programme that can protect consumers’ private data and “ensure the safety and soundness” of the state’s financial services industry.
Executives will be made to submit an annual certification that the company is complying with the various requirements, and agree to notify the DFS of any serious breaches within 72 hours of their discovery.
“This has gone further than any other regulation I’ve seen, and is the most prescriptive,” said Joe Nocera, Chicago-based leader of PwC’s cyber security practice.
The new regime comes as financial institutions are under near-constant bombardment from criminals, “hacktivists” and disaffected insiders, all trying to breach their defences. Attempts range from “watering hole” attacks, where employees gather at spoofed websites that implant malware, to more complex schemes led by state-linked groups.
But the requirement for an executive to testify that the company’s systems are up to scratch, could expose that individual to liability if the company’s cyber security programme is later found to be non-compliant.
The regulation also says that companies should flag incidents to the DFS which “have a reasonable likelihood of materially harming” the company.
That could be a “tall order,” said Aleksandr Yampolskiy, chief executive of SecurityScorecard, a risk benchmarking company. “Banks have all kinds of systems gathering data. Sometimes there’s so much of it they don’t know what they have.”
Full article on Financial Times (subscription required)