Major financial firms operating in New York need to comply with tougher cybersecurity rules that came into effect this week.
The regulation [PDF] by the New York State Department of Financial Services (DFS) covers issues ranging from the maintenance of written policies, testing, governance and auditing, to detection, defence and incident response measures. Banking, insurance or financial services firms licensed to operate in New York must comply. The rules came into effect on 1 March but there is a 180-day grace period before any enforcement actions will be considered.
Tim Erlin, director and risk strategist at security tools firm Tripwire, comments: "The new NY DFS regulation has the same challenges that all cybersecurity regulations face: how to provide prescriptive requirements that are technology agnostic. The DFS regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment."
The DFS regulation intentionally avoids requiring many specific controls, but do include the requirement for annual penetration tests and bi-annual vulnerability assessments.
Erlin argued that more frequent risk assessments would be preferable. "It's well accepted that infrequent vulnerability assessments aren't enough, and it would be very surprising for any risk assessment to conclude that a biannual vulnerability assessment would be sufficient to protect a business," he said.
Law firm Pinsent Masons explains what financial firms should expect here. ®