The New York State Department of Financial Services (NYDFS) is proposing an amendment to its regulations requiring financial services companies to increase their cybersecurity planning reporting and protection. The Department of Financial Services supervises and regulates the activities of approximately 1,500 banking and other financial institutions with assets totaling more than $2.6 trillion and more than 1,400 insurance companies with more than $4.7 trillion.
Under the proposed amendment, the onus is placed upon corporate boards and executive leadership to:
- Implement and maintain a written cybersecurity policy approved annually to protect information systems and nonpublic information stored on those systems
- Designate a qualified individual (CISO or equivalent) responsible for overseeing and implementing a cybersecurity program and enforcing its cybersecurity policy
- Require the CISO to provide a written report at least annually to the board or equivalent governing body
- Require the CISO to report promptly to the board on material cybersecurity issues, including updates to a company's risk assessment or major cybersecurity events
- Develop and implement, as part of the cybersecurity program, written policies and procedures for vulnerability management, assessing the effectiveness of the program
Cybersecurity programs shall limit user access privileges to information systems, limit the number of privileged accounts,, at a minimum, annually review all user access privileges, disable or securely configure all protocols that permit remote control of devices, and promptly terminate access following departures.
"These requirements are a great example of how cyber risk isn't purely a bits and bytes issue to be 'handled by the security team,'" Jamil Farshchi, EVP and CISO at Equifax, said in a LinkedIn post today about the NYDFS proposal. "It's a core responsibility of the board and management team."
In a comment to Farshchi's LinkedIn post, Becky Gaylord, a cybersecurity and data privacy consultant, said, "The NYDFS proposal validates communication as the linchpin between IT and C-suite/board of directors.
Senior 'cyber deciphers' are now vital and should possess the following:
- Professional, experienced strategic communicator, experienced in crisis and issue management. Have INFOSEC certifications and passion for #cyber and #dataprivacy.
- Smoothly translate technical information to any audience, from top executives to new employees.
The NYDFS proposed amendment is open for comment until 9 January 2023. The amendment comes weeks after the State of New York announced it will be the first US jurisdiction to require attorneys to complete one credit hour of cybersecurity, privacy, and data protection training as part of their biennial Continuing Legal Education (CLE).
The new accreditation requirement will go into effect on 1 July 2023, and attorneys can begin earning credit as early as January 2023. It is up to all companies to take steps and adopt procedures to protect themselves from cyberattacks even before new regulations come into effect.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement a 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter; membership is free. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network or installing hardware/software.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments