Light Dark
January 4, 2017 By Mark Samuels 2 min read

The New York State Department of Financial Services (DFS) published a new cybersecurity regulation for firms operating in the financial sector. The proposal could have serious ramifications for IT decision-makers and their peers.

Financial Services Superintendent Maria T. Vullo revealed the updated plan at the end of 2016. The updated proposal spans 14 pages and includes a range of modifications from the initial plan released last September.

This cybersecurity regulation covers a series of best practices, from annual certification to executive sponsorship. The regulation highlights the importance of paying attention to governance concerns, particularly with regard to information security leadership.

New Responsibilities for IT Leadership

The original plan set a deadline of Jan. 1, 2017, for compliance with the new DFS cybersecurity regulation. Banks, insurance companies and other finance firms will now have until March 1 to meet the requirements of the proposal.

As part of the proposal, finance firms must create annual reports that cover material cybersecurity events. These documents must be accepted by the board and appropriate certification forwarded to DFS.

Cybersecurity leadership forms another key tenet of the regulation. Finance firms would need to employ a chief information security officer (CISO) to comply with DFS requirements.

An Adjustment Period

The newly proposed regulation provides financial institutions with more flexibility than the original plan. The adjustments were made after a period of consultation. An additional 30-day comment period will run before the new proposals are enacted in March.

Under the new proposals, firms have 72 hours to report a breach from the time it is discovered. In the original plan, firms had to report within 72 hours of the breach itself.

The original regulation also cited a six-year retention period for data. After consultation, the agency determined that the collection of data could create a bigger potential target for cybercriminals and reduced the retention period to five years.

Cybersecurity Regulation Presents New Challenges

Some influencers believe organizations already face too many compliance requirements. SecurityWeek reported that some experts believe regulations actually take IT specialists away from front-line defense work. Additionally, firms will likely struggle to appoint CISOs per the DFS requirement, as the role of the CISO remains poorly defined.

This anomaly exists because few businesses treat security as an individual line item. Employees with little security expertise too often undertake processes critical to cyberdefense. As a result, many CISOs lack insight into security investments across the enterprise.

 |  |  | 
Mark Samuels
Tech Journalist

More from

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature