When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules. Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.
This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations. And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator. Their goal is to get everyone to adopt the same basic rules.
So what is in this gem? If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out. Here they are:
- 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response. That is just one of the items.
- Third party service provider management
- Multi-factor authentication
- Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
- Application security procedures, guidelines and standards
- Cyber security staff and intelligence
- Cyber security audit
- Notification of the department in the event of any cyber security incident.
While this is only a proposal and may change, it likely will not “go away”.
If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.