January 4, 2017 By Mark Samuels 2 min read

The New York State Department of Financial Services (DFS) published a new cybersecurity regulation for firms operating in the financial sector. The proposal could have serious ramifications for IT decision-makers and their peers.

Financial Services Superintendent Maria T. Vullo revealed the updated plan at the end of 2016. The updated proposal spans 14 pages and includes a range of modifications from the initial plan released last September.

This cybersecurity regulation covers a series of best practices, from annual certification to executive sponsorship. The regulation highlights the importance of paying attention to governance concerns, particularly with regard to information security leadership.

New Responsibilities for IT Leadership

The original plan set a deadline of Jan. 1, 2017, for compliance with the new DFS cybersecurity regulation. Banks, insurance companies and other finance firms will now have until March 1 to meet the requirements of the proposal.

As part of the proposal, finance firms must create annual reports that cover material cybersecurity events. These documents must be accepted by the board and appropriate certification forwarded to DFS.

Cybersecurity leadership forms another key tenet of the regulation. Finance firms would need to employ a chief information security officer (CISO) to comply with DFS requirements.

An Adjustment Period

The newly proposed regulation provides financial institutions with more flexibility than the original plan. The adjustments were made after a period of consultation. An additional 30-day comment period will run before the new proposals are enacted in March.

Under the new proposals, firms have 72 hours to report a breach from the time it is discovered. In the original plan, firms had to report within 72 hours of the breach itself.

The original regulation also cited a six-year retention period for data. After consultation, the agency determined that the collection of data could create a bigger potential target for cybercriminals and reduced the retention period to five years.

Cybersecurity Regulation Presents New Challenges

Some influencers believe organizations already face too many compliance requirements. SecurityWeek reported that some experts believe regulations actually take IT specialists away from front-line defense work. Additionally, firms will likely struggle to appoint CISOs per the DFS requirement, as the role of the CISO remains poorly defined.

This anomaly exists because few businesses treat security as an individual line item. Employees with little security expertise too often undertake processes critical to cyberdefense. As a result, many CISOs lack insight into security investments across the enterprise.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today