New York is introducing new cybersecurity legislation for financial companies. If your financial firm does business in New York State, get ready - these regulations are hard-hitting and thorough. Here's what you need to know.
Spurred on by what it seems like is nonstop cybersecurity attacks on financial institutions over the last few years, New York State is taking a strong stand against the lackluster information security requirements that many banks and other financial institutions employ by working on infosec legislation. While many legislative regulations might focus on institutions that are based in the state of New York, these are a little different, requiring ANY financial institution that does business in New York state to adhere to them.
These regulations are still in the review process, having undergone two iterations already. The final iteration, which has yet to come out, will likely be the last before it's enacted into law. The proposed regulations are pretty long and thorough, but there are a few key points that IT security professionals should be aware of - especially if you do business in New York State.
Annual Pen Tests for Financial Services Companies
The newly proposed legislation starts with requiring all financial services companies that do business in New York implement annual penetration testing to find vulnerabilities in IT infrastructure and in-person security vulnerabilities - especially in consumer facing environments like bank branches and consumer financial services offices. The downside to this (and many of the other requirements) is that in the second revision, language introduced focuses on risk assessments done periodically and "updated as reasonably necessary". This leaves some holes in the proposed legislation, leaving it up to interpretation which was potentially added in as part of a lobbying effort to loosen up the rules.
Bi-Annual Vulnerability Scanning Requirements
Another major update is that bi-annual vulnerability scanning is listed as a requirement. Given that our own research has found that there are 1.1 critical security and compliance issues per 1,000 lines of custom SAP ABAP code, bi-annual vulnerability scanning is a big improvement over the preventative measures that many financial services companies currently employ. This requirement has been watered down a bit, as the initial legislative copy stated that vulnerability scanning should be done quarterly. Although, twice a year is certainly better than nothing.
Financial Services Companies Will Need to Hire a CISO
One of the more interesting aspects of the legislation is the requirement for financial services firms to hire (or contract with) a CISO or Chief Information Security Officer. This requirement will likely be waived for small businesses that can't manage the overhead costs associated with that type of hire. For the remainder of those companies, however, a CISO will help financial services firms prioritize and manage cybersecurity risks and threats.
There's still more to the proposed legislation, and if you want to read the current iteration, you can find all 14 pages here. It's currently under its second 45-day review period, after which a third revision will be posted. Once that's live, we'll be writing more about what every infosec professional in the financial services industry should be aware of when doing business in New York state.