.png)
As laws and regulations continually evolve, financial services organizations are finding it increasingly challenging to maintain compliance. In November, the New York Department of Financial Services (NYDFS) introduced revised regulations calling for stricter cybersecurity controls for financial services companies, including banks, insurance companies, investment firms, and others in the industry.
To avoid fines and penalties under the NYDFS rules, known as Part 500, organizations considered “covered entities” must implement multifactor authentication or use reasonably equivalent secure access controls approved by the organization’s Chief Information Security Officer (CISO). As we approach 2025, these entities will also need approved written cybersecurity policies and procedures, a designated CISO, a written incident response plan, encryption, periodic access reviews, and continuous monitoring or periodic penetration testing and vulnerability assessments.
These regulations emphasize the need for periodic risk assessments of the information systems in place. This requirement underscores the necessity to update controls as changes occur in an evolving cybersecurity environment, while also establishing explicit baseline cybersecurity controls to be implemented. This approach aims to balance the risk-based strategy adopted when the initial cybersecurity regulations were issued, while also addressing weaknesses observed in prior cyber incidents due to firms not maintaining standard controls against cyberthreats.
Accountability is a key element of the NYDFS regulations. CISOs must now provide a report updating their governing body or board of directors on the company’s cybersecurity posture and plans to address any security gaps. Maintaining accountability involves communicating effectively with the board about cybersecurity risks, ensuring that the board understands its role in evaluating major issues, such as ransomware attacks that could potentially shut down business operations.
Cybersecurity regulations in finance have evolved significantly since the Gramm-Leach-Bliley Act, which requires financial institutions to inform customers about their information-sharing practices and to safeguard sensitive data. The Securities and Exchange Commission (SEC) recently updated its cybersecurity rules around broker-dealers and investment firms, mandating organizations to notify customers of a cybersecurity incident within 30 days. Additionally, if a public company suffers a material cybersecurity incident, it must report it on a Form 8-K within four business days.
The Department of Homeland Security has also issued a request for comment on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This act calls for regulations requiring covered entities to report cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA).
The increasing number of overlapping controls and requirements affecting the same set of companies highlights the benefits for organizations of all sizes to implement strong, enterprise-wide governance, risk, and compliance programs. Financial services organizations should ensure compliance by establishing incident response plans, which outline the company’s approach to handling a breach. Some regulations dictate what companies should include in an incident response plan, moving from focusing on processes and best practices to becoming more prescriptive.
The Federal Trade Commission (FTC) may also adopt a portion of NYDFS Part 500 in the FTC’s Safeguards Rule. This rule, which took effect in 2003 and was updated in 2021, requires financial institutions to implement an information security program that includes “administrative, technical, and physical safeguards” to secure customer information, along with conducting risk assessments.
Financial services companies benefit significantly from access management lifecycle policies and practices that leverage a zero-trust approach for both privileged and nonprivileged users. A mature zero-trust strategy limits damage if a breach occurs, ensuring better protection and resilience against cyberthreats.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant, continuously assessing and updating their security measures. This is where Directpath Global Technologies (DGT) can make a difference. As a Managed Security Service Provider (MSSP), DGT offers comprehensive solutions such as Mobile Threat Defense (MTD), Extended Detection and Response (XDR), Vulnerability Assessment and Penetration Testing (VAPT), System Organization Controls Type 2 (SOC2) compliance, and Virtual Chief Information Security Officer (vCISO) services. DGT’s advanced Artificial Intelligence Division tailors services to meet the unique needs of organizations, enhancing not only cybersecurity but various operational aspects.
In the face of ever-changing regulations and sophisticated cyber threats, proactive cybersecurity planning and strategic investments are crucial. Partnering with experts like Directpath Global Technologies ensures that organizations can navigate the complexities of cybersecurity regulations while maintaining robust defenses against emerging threats. Source: BizTech
Comentários