The financial industry needs regulation to help ensure cyber security, says New York’s Department of Financial Services (NYDFS), which is planning new rules designed to help bolster the industry’s defenses.
In a letter to various U.S. regulators, including the Securities and Exchange Commission (SEC), the Commodities Futures Trading Commission (CFTC), and various banking and insurance regulators, NYDFS says that it is considering new regulations designed to increase cyber defenses within the financial sector.
Cyber security is “one the most critical issues facing the financial world today”, the NYDS letter says, and that it represents a particular challenge for regulators. Among other things, the letter says: financial firms are challenged to keep up technology; firms are vulnerable to third-party service providers that may be attractive targets for hackers; and cyber security is a global concern affecting every industry at all levels.
“There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions,” the letter says, and it calls for co-ordination between state and federal agencies “to develop a comprehensive cyber security framework”.
The NYDFS letter adds that potential regulations will require firms to maintain a cyber security program, and it would set specific requirements for those programs in areas such as information security, data governance, business continuity and disaster recovery planning, among other things.
Firms would also be required to have policies to ensure the security of sensitive data or systems at third party service providers, the NYDFS letter says. They would have to use multi-factor authentication in certain areas, and they would also be required to designate a chief information security officer, along with other personnel to manage cyber security risks.
In addition, the rules would mandate annual penetration testing and quarterly vulnerability assessments, and they would impose obligations to report cyber security incidents to regulators, the NYDFS letter says.
“It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions,” the NYDFS letter says.