[BreachExchange] New York Proposes Cybersecurity Regulations for Banks

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 13 19:19:07 EDT 2016


http://www.nasdaq.com/article/new-york-proposes-
cybersecurity-regulations-for-banks-20160913-01013

New York Gov. Andrew Cuomo and the state's top banking regulator proposed
regulations Tuesday that would be among the first in the U.S. to require
banks to establish cybersecurity programs.

If implemented, the regulations would increase the onus on some of the
world's largest banks to invest in cyber protections that could cost them
and insurers millions of dollars, according to experts. Banks would be
required to hire a chief information security officer and implement
measures that detect and deter cyber intrusions and protect consumer data.

The proposed regulations also contain a requirement that banks notify New
York'sDepartment of Financial Services of any material data breach within
72 hours of the event. A patchwork of state regulations currently cover
when companies must disclose breaches, and many large organizations have
kept such attacks secret.

The proposed regulations will be open for public comment for 45 days after
which a final version will be issued.

The potential regulations come as hackers increasingly aim their sights on
Wall Street.

For instance, New York federal prosecutors unsealed indictments in November
against three men alleging a sprawling cybercriminal enterprise that
included a hack of J.P. Morgan Chase & Co., which the bank said affected
about 76 million households. The intrusion renewed concerns that hackers
easily could wreak havoc with the U.S. financial infrastructure.

The Department of Financial Services— which regulates Goldman Sachs Group
and major foreign banks including Deutsche Bank AG, Barclays PLC and
others—has emerged as an aggressive pursuer of financial crime in recent
years. The agency's first superintendent, Benjamin Lawsky, also set
cybersecurity protections as a priority.

Maria Vullo, the agency's recently confirmed superintendent, has said she
plans to continue the tough enforcement policies of her predecessor, Mr.
Lawsky, while also striking a more business friendly tone.

The proposed regulations include required minimum standards, but will allow
companies to assess their own risks to prevent "limit[ing] industry
innovation."

"DFS designed this groundbreaking proposed regulation on current principles
and has built in the flexibility necessary to ensure that institutions can
efficiently adapt to continued innovations and work to reduce
vulnerabilities in their existing cybersecurity programs," Ms. Vullo said
in a statement.

Under Ms. Vullo's watch in June, the agency published strict and
long-awaited anti-money-laundering regulations that were originally
proposed by Mr. Lawsky. Those regulations create requirements for banks to
curb illegal transactions by known terror organizations and other criminals
and take effect in 2017.

Both the money laundering and the cyber regulations contain requirements
that either board officers or senior compliance officers certify that
companies' controls are adequate, potentially opening such individuals up
to criminal liability if the controls are found lacking.

The proposed cyber regulations also require annual risk assessments and
penetration testing, in which hackers test cyberdefenses, encryption of all
nonpublic information transmitted to a bank or stored by it, and hiring and
training of cybersecurity-focused employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160913/9b4b21fd/attachment.html>


More information about the BreachExchange mailing list