The increasingly frequent and severe cyber security threats posed to the state’s information and financial systems has led the New York State Department of Financial Services (DFS) to pass the State of New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). This law took effect March 1, 2017 in an effort to protect crucial customer data, as well as the IT systems of regulated entities.
What are these requirements?
While this is no simple list of rules and regulations, we have broken down the 15-page DFS document into the four most important bullets. The required NY DFS Cybersecurity Regulations document states that financial services companies must:
- Establish and implement a risk-based cybersecurity program with written policies, procedures, an incident response plan and a fully funded and staffed management team.
- Designate a qualified Chief Information Security Officer (CISO)to oversee the security staff who will monitor potential threats and review latest solutions.
- Implement periodic user access assessments which will review who has access to confidential data and networks to put limitations in place and conduct information security audits.
- Monitor incidents and report security events to the DFS within 72 hours
Cyber crime is no longer an IT issue, but a business risk. Additionally, the cyber scares of 2017 teach us about the ever-changing technology involved with cyber crime. It’s difficult to stay up to date on the newest trends and tactics to look out for. Provisions like the DFS cybersecurity regulations are becoming stricter looking to 2018 and years to come. So how do businesses intend to stay relevant in cybersecurity and intelligence practices?
Cyber Security Goes Beyond Technology
Even with the range of technologies available to protect a corporation against threats, if users aren’t fully trained about security risks and prevention, cyber security fails and your company does not comply with DFS cybersecurity regulations.
Security training goes beyond simply teaching employees the difference between a real email and a phishing scam, or best practices for password protection. User behavior plays a huge rule in good cyber security. It should be considered as part of any training process. For example, a user who works with sensitive data should learn why he or she needs to lock the computer when walking away, even for a short period of time. Good training teaches why these behaviors are necessary, and regular training turns security best practices into habit. The more security training an employee receives, the less likely he or she will become the victim of a targeted attack.
There is a recurring need for ongoing education and training within organizations as cyber criminals are becoming more dangerous every day. New malware practices and phishing scams are hitting companies constantly, so it is imperative for your team to stay on top of training.
Don’t Become Another Statistic
It’s no secret that financial institutions, insurance companies, and mortgage bureaus are the most likely to be attacked by cyber criminals. In fact, nearly 75 percent of breaches are financially motivated. Even more alarming is that 66 percent of these attacks are a result of malicious email attachments that enabled malware installation. It’s important to understand that cyber education is not just about complying with DFS Cybersecurity Regulations, it’s about preventing billion-dollar breaches which can affect millions of clients and tarnish a reputation of trust and respect.
Proactive Cyber Protection
Cybint delivers an interactive, online program that assesses, trains, and provides tools to improve your institution’s enterprise-wide cyber security practices. These comprehensive programs were designed by former military-trained cyber security experts. Cybint teaches you how to prevent hacks hidden within emails, how to detect breaches and potential exposures, how to better protect and secure data assets, and much more.