New cybersecurity regulation hits New York financial firms March 1

The rules, which include having written policies and procedures and a designated chief information security officer, could become a model for other states

Jan 17, 2017 @ 1:43 pm

By Liz Skinner

New cybersecurity rules for some financial services providers are set to take effect March 1 for firms doing business in New York, and the new requirements may be showing up around the nation before too long.

The fairly prescriptive proposed rules, initially published in September by New York's Department of Financial Services and updated last month, require banks, insurance companies and other financial services institutions regulated by the department to have a cybersecurity program aimed at protecting consumers.

Since investment advisers and broker-dealers aren't licensed by the DFS, financial advisers would only be covered by the rule if they are licensed by the department in some other capacity, like as an insurance broker or agent, said Ron Klug, a spokesman for the DFS.

In addition to written policies and procedures, firms must have a designated chief information security officer to oversee and enforce the program, train employees and report hacking attempts to the state within 72 hours if the hacks have a reasonable likelihood of harming the firm's normal operations.

The rules, officially under comment until Jan. 27, would be the first in the U.S., and are expected to be a model for other states.

(More: Is cyber insurance worth the cost?)

“In essence they're creating a national law, like California did in writing their privacy laws,” said John Cunningham, chief information security officer at Docupace Technologies. “New York is creating a standard that will probably be a catalyst for a national change.”

The requirement that firms have a C-suite-level employee in charge of the cybersecurity program could be challenging. That person will need to be trained and qualified to take on this role, Mr. Cunningham said. Even finding someone to act as CISO — let alone the cost if one needs to be hired — could be difficult.

“There will be a significant cost to find people with those skills and it will create a bidding war for them,” he said.

Many firms have written cybersecurity policies today, but the new rules hold firms accountable for making sure they're complied with, Mr. Cunningham said.

(More: Watch for this new cybersecurity scam, IRS warns)

As part of protecting client data, for example, firms will need to monitor all data leaving the firm and have systems in place for email that blocks certain types of information, such as Social Security numbers.

Firms also will need to gauge their security through penetration testing, which typically costs between a few thousand dollars to $15,000, he said.

New York regulators said the revised proposal, which delayed implementation of the rules by two months, gives firms enough time to ready their systems.

“New Yorkers must be confident that the banks, insurance companies and other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Maria T. Vullo, superintendent of the financial services department.

Her department said it surveyed about 200 of the financial firms it regulates to evaluate cybersecurity progress and develop the requirements.

(Correction: An earlier version of this story suggested advisers in New York would have to meet the new cybersecurity requirements, when, in fact, only advisers who are separately licensed by the Department of Financial Services will come under the rules.)

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

What can advisers learn from the first female fighter pilot?

Pressure is pressure. Whether you are taking off from an aircraft carrier or dealing with the unforgiving movements of the market, you need to have a plan. Carey Lohrenz, the world's first female F-14 pilot, has some advice for advisers.

Latest news & opinion

10 most affordable U.S. cities for renters

Here are the U.S. cities that are most affordable for renters, according to Business Student.com, which compared the cost of rent to average salaries.

9 best - new - financial adviser jokes

Scroll through for nine new financial adviser laughs.

Captrust, prominent 401(k) advice firm, ramps up its wealth management business

Captrust wants to grow annual revenue from wealth management to 50% from 30% over the next five years.

Fidelity CEO says zero-fee funds aimed at expanding its universe

Johnson says way to prosper in financial services is 'by building relationships.'

SEC advice rule contains a huge hole

Jay Clayton aims to clear up investor confusion by drawing a distinction between brokers and advisers in the agency's proposed package of revised standards. But where do dual registrants fit?

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print