The countdown is on. Financial institutions doing business in New York must comply with new cyber security rules from the state’s financial regulator by March 2018.
These revamped regulations—the first of their kind nationwide—will impose stringent cyber security requirements on banks, insurers and other institutions regulated by the state’s Department of Financial Services.
The NYDFS oversees 4,500 entities, including banks, credit unions, licensed agents and brokers, New York insurance companies and financial institutions with customers in N.Y.
Here are five key ways to stay on top of the new regulations:
1. Know who is impacted. Board members and C-suite, compliance officers, IT security and operational staff and customers.
2. Follow this compliance checklist:
- Create a policy and process to ensure activities are executed.
- Develop technologies and processes to detect breaches of personally identifiable information, define what was breached and how, report on what was breached and identify potential consequences.
- Establish governance to grant boards oversight.
3. Beware of these potential stumbling blocks:
- Smaller institutions may need to be creative in implementation of governance, oversight, segregation of duties, and staffing of new processes.
- Expertise may be difficult to find or costly.
- Reporting requirements are still unclear, especially what agency or office will handle breach reporting.
4. Follow these best practices for compliance:
- Assess: What is in compliance and what is left to be done.
- Outsourcing: Secure outside expertise to fulfill the CISO requirement.
- Test: Test all the controls 60 days or more before they are required to be in place.
- Project Management: Strict discipline to put changes into place over the course of the year.
- Plan: An exercise to identify the necessary steps and timelines required to put all the policies, processes, governance and technologies in place.
5. Adhere to the timeline for compliance, which is by March 31, 2018.