The New York State Dept. of Financial Services (DFS) has released a revised draft of its proposed cybersecurity regulation for banks, insurance companies and other financial services, Cybersecurity Requirements for Financial Services Companies (PDF).
The updated regulation requires organizations to develop a cybersecurity program and written policy to protect the integrity and privacy of confidential data.
The DFS also pushed back the implementation deadline from the original date of Jan. 1, 2017 to March 1, 2017. Organizations must meet compliance requirements within 180 days of the regulation’s effective date.
The new regulations also require organizations to notify the DFS within 72 hours of determining that a security incident has occurred.
The DFS requires organizations to use multi-factor authentication or risk-based authentication to protect against unauthorized access to nonpublic information systems.
Multi-factor authentication (MFA), also known as two-factor authentication, can protect against phishing and other password exploitation attacks by verifying a user’s identity via another factor - such as the approval of a push notification sent via a mobile app. Learn more about two-factor authentication.
Risk-based authentication is when an authentication system takes into account the profile of the device/user requesting access. If the risk is high, the authentication process becomes more restrictive.
The DFS also requires MFA for any user accessing the organization’s internal networks from an external network, “unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
Penetration Testing and Vulnerability Assessments
The DFS requires that each organization includes continuous monitoring and periodic testing in their cybersecurity programs. That includes bi-annual vulnerability assessments, including systematic scans reviews of information systems to identify known vulnerabilities.
A different way you can protect against known vulnerabilities is to implement a security tool to detect, notify and block users logging into your systems with out-of-date and risky mobile phones, laptops, tablets, etc. to ensure only trusted devices are granted access to your applications.
Organizations must also limit and periodically review user access privileges to information systems that provide access to nonpublic information.
Generally, the rule of least privilege is a good standard security best practice to follow, which dictates limiting user access to only the applications they need to do their job.
Third-Party Service Provider Security
The DFS also requires financial organizations to maintain a security policy to ensure that information systems that are accessible or managed by third-party service providers are also properly secured.
That includes an inventory list of providers, risk assessments, minimum cybersecurity practices, periodic assessments, policies and procedures and more.
Financial organizations also need to ensure that third parties use access controls, including multi-factor authentication to limit access to sensitive systems and confidential information.
The updated proposed regulation will be finalized after a 30-day public comment periods, according to the DFS.