Expect the status quo for banking security to change with the release of new requirements from the state of New York that are very likely to spread to all other states and into federal regulations. These requirements will cover policy management for vendors, notification of breaches, customer or employee access through multi-factor authentication and third-party security management policies.
What we know about the upcoming regulation changes so far comes from a letter, published in November of last year, from the New York State Department of Financial Services. Here are the highlights of the future requirements:
-
Define cybersecurity policies and procedures;
-
Define policies for third-party service providers’ cybersecurity;
-
Hire qualified Chief Information Security Officers;
-
Hire staff and vendors to ensure cybersecurity sufficiency;
-
Ensure CISOs enforce policies and procedures, ensuring application security;
-
Employ multi-factor authentication for online banking access, for employees and for service providers;
-
Audit all procedures;
-
Keep breach notification and cyber-incident policies updated.
Cybersecurity is a serious threat, especially in the banking industry. NYSDFS said this about the necessity for the requirements:
“The scale and breadth of the most recent breaches and incidents demonstrate that cybersecurity is a global concern that affects every industry at all levels. There is a demonstrated need for robust regulatory action in the cybersecurity space, and the department is now considering a new cybersecurity regulation for financial institutions. The department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies, to develop a comprehensive cybersecurity framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.”
With regulation on the horizon, banks need to beef up their cybersecurity budgets.
