New york
24 February 2017
Reporter: Stephanie Palmer

New York takes steps to stop cyber crime


The New York Department of Financial Services (DFS) has implemented new cyber security regulatory requirements for financial services companies, effective from 1 March.

The new regulation, called the first of its kind in the US, requires banks, insurance companies and other regulated financial services institutions to establish and maintain a cyber security programme for protecting consumers’ data.

It sets out minimum regulatory standards and encourage firms to stay abreast of technological advances. The DFS introduction to the regulation specifies that it is not intended to be “overly prescriptive” so that “cybersecurity programmes can match the relevant risks and keep pace with technological advances”.

It went on: “The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the programme outlined in these regulations is a priority for New York State.”

The rules include controls around the governance framework for a robust cyber security programme. Programmes must be adequately funded and staffed, and overseen by qualified management, while the most senior governing body of the organisation must receive reports on the programme periodically.

Minimum standards for technology systems will apply to access controls, data protection encryption and penetration testing, and to the manner in which cyber breaches are addressed if they do occur.

These standards will apply to a firm’s incident response plan and preservation of data for incident response, and they will have to send notice to the DFS if a significant breach occurs.

Finally, the new rules bring in additional accountability, with the DFS requiring annual certification of regulatory compliance, remediation plans and identification and documentation of material deficiencies.

Governor of New York Andrew Cuomo said: "New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber attacks."

He added: "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes."

DFS superintendent Maria Vullo said: “With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information. As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks.”

The announcement follows publication of a proposed regulation in September 2016, followed by a 45-day comment period, and a second proposal in December 2016, followed by a 30-day comment period.

More regulation news
The latest news from Asset Servicing Times
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
LEIs offer major cost savings, says OFR
17 November 2017 | Washington DC | Reporter: Drew Nicol
The OFR noted that early academic studies found that cost savings associated with adoption of the LEI approached $1 billion annually
MTS and UnaVista to collaborate for SFTR
13 November 2017 | London | Reporter: Jenna Lomax
The collaboration means that firms trading on MTS’s new global collateral management segment will be able to use UnaVista’s trade repository to trade under SFTR
LSE teams up with APIR Systems to brings LEIs to Australasia
08 November 2017 | London | Reporter: Drew Nicol
Industry estimates suggest more than 250,000 entities are still without the required LEIs
MiFID II creates “much uncertainty” for EEA members
06 November 2017 | Oslo | Reporter: Jenna Lomax
For EEA members, “much uncertainty” remains regarding ESMA's assessment of the EEA legal basis for MiFID II, according to Norway’s Finanstilsynet
SimCorp: MiFID II remains a concern for buy-side firms
01 November 2017 | London | Reporter: Becky Butcher
Some 28 percent of buy-side representatives are still unsure if and how their firm will be affected by MiFID II, just 90 days before the implementation deadline, according to a SimCorp survey
SEC grants relief to US brokers on MiFID II
27 October 2017 | New York | Reporter: Theo Andrew
The division of investment management issued three no-action letters, providing 30 months relief, allowing US broker-dealers to receive payments in hard dollars
Solvassure creates first-of-its-kind integrated reg platform
25 October 2017 | London | Reporter: Theo Andrew
The compliance platform addresses demands under the General Data Protection Regulation and the Accountability Regime, to help firms meet next year's regulatory deadlines
More regulation news