BY Richard Summerfield
Unless you have been living under a rock for the last few years, it will not have escaped your attention that instances of cyber crime have become increasingly prevalent in the business community. It seems not a week goes by without a cyber breach grabbing the headlines – along with a swathe of sensitive data.
Various regulatory bodies have taken steps to guide firms through the minefield of cyber security. This week, New York’s leading banking regulator – the New York Financial Department of Services (NYDFS) – became the latest to follow suit. The NYDFS felt motivated to act as, in its own words, it "considers cyber security to be among the most critical issues facing the financial world today".
In a letter to other state and federal regulators, including the US Office of the Comptroller of the Currency and Federal Reserve Board of Governors, the NYDFS revealed details about its potential new cyber security regulations for the banks and insurance companies which fall under its jurisdiction. These regulations could include a requirement for institutions to notify companies of data breaches. "It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions," wrote Anthony Albanese, NYDFS’ acting superintendent.
Organisations would also be obliged to ensure that contracts with third parties included a set of rules designed to keep sensitive data safe, including the use of multi-factor authentication, both internally and on customer log-on pages, and data encryption. Two step authentication is becoming increasingly popular online. Social media giants like Facebook and Twitter, services such as Gmail, and even online video games now offer multistep authentication. As such, it seems only logical that financial institutions embrace the technology.
Firms would also be required to appoint a chief information security officer if they do not already have one. The CISO would be responsible for overseeing policy, while cyber security staff would be required to undergo mandatory training.
Under potential new regulations, third party vendors – such as law firms, data processors and auditors – would also be required to achieve compliance moving forward.