Federal and State Enact Cyber-Security Rules on Financial Services Firms



Federal and State regulators have formalized cyber security regulations for financial services institutions. From the SEC, Securities and Exchange Commission, the regulation is REG-SCI, Regulation Systems Compliance and Integrity. The New York State Department of Financial Services, NYSDFS, enacted their cyber security guidelines on top of financial institutions they regulate in New York State. These include NY state chartered banks, foreign banks and insurance companies along with third-parties companies that service NY State regulated financial entities.

The New York State regulation, (23 NYCRR 500) requires banks and insurance companies to compel all their third party vendors to create, enable and maintain for disclosure cyber security compliance policies and plans as risk assessments. New York State DFS has documented wide ranging policies and procedures for banks and insurance entities to adhere to. These include systems and network security and monitoring, device management, identity management, computer governance – access and entitlements as well as physical security. Covered entities are required to provide Incident Response plans and communications, both how the internal teams will respond and the formalized process for reporting the details to the New York State Department of Financial Services. Across the United States, New York is the first state in the country to administrate cyber security regulations for financial services. New York State regulated entities must also name a Chief Information Security Officer (CISO) and must deliver updated annual certification of their compliance with cyber regulations.

New York Governor Andrew M. Cuomo issued the cyber security statement. “The first-in-the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017. The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”

Governor Cuomo continued, “New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” Governor Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

The Securities and Exchange Commission Reg SCI was enacted more than a year ahead of the New York State cyber regulation. Mary Jo White, Chair of the Securities and Exchange Commission spoke to Congress about Regulation SCI and said, “Given the heavy reliance on technology and automated systems in the securities markets today, the impact of technology failures can be significant. Recent technology issues in the markets have illustrated the risks of systems issues, including the impact on investors and losses that can occur.” SEC Chair White continued. “The rules provide greater accountability for those responsible for our critical market systems, helping ensure that such systems operate effectively and that any issues are promptly corrected and communicated to market participants and the Commission.” SEC examinations of asset managers and hedge funds in addition to examinations of books and records, trades, fees and commissions and financial compliance will also include a “cybersweep,” focused on cybersecurity compliance and controls.

Cyber security regulations in the United States have propelled business for cyber security vendors. Malware and virus protect continue to evolve along with identity management solutions. Maturing and evolving technologies include Penetration testing, privilege account management, end point security, SEIM security information and event management (SIEM) and User Behavior Analytics (UBA) solutions. These tools leverage machine learning and respond faster than humans. Mobile phones and messaging come in under the cyber security umbrella of government regulations.

Former New York City Mayor Rudy Giuliani joined the law firm of Greenberg Traurig as Chair of their Cybersecurity Management Practice. Giuliani has lectured, “on the reality and threats of the dark net and dark web.” President Trump named Rudy Giuliani as his private sector cyber security advisor.


Image Credit: CC by Blogtrepreneur

About the author: Eugene Young

Eugene Young is a Director of Business Development focused on the integrity and stability of the global financial ecosystem. Eugene is available to usher companies through their financial regulatory and compliance reporting obligations.

You are seconds away from signing up for the hottest list in New York Tech!

Join the millions and keep up with the stories shaping entrepreneurship. Sign up today.