NY banking regulator unveils details on planned cybersecurity rules

  • TECH
  • Wednesday, 11 Nov 2015

Cybercrime victim: A cyberattack against JPMorgan Chase & Co involved hundreds of millions of dollars.

New York State's financial services regulator unveiled details about potential new cyber security regulations for banks and insurance companies under its jurisdiction.

The measures, which follow a string of high-profile hacking incidents, would include everything from requiring that firms appoint a chief information security officer and adopt a multi-stepped process for allowing employees and customers to log into their systems.

The details were outlined in a letter sent by the New York Financial Department of Services (NYDFS) to other state and federal regulators, and are the most comprehensive information to date about the planned regulations.

NYDFS publicised the letter on the same day that US prosecutors unveiled criminal charges accusing three men of helping run a sprawling series of hacking and fraud schemes, including a huge 2014 attack against JPMorgan Chase & Co, that generated hundreds of millions of dollars of illegal profit.

"It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cybersecurity standards for financial institutions," wrote Anthony Albanese, acting NYDFS superintendent, in a letter to numerous regulators, including the US Office of the Comptroller of the Currency and Federal Reserve Board of Governors.

The NYDFS regulations, if ultimately adopted, would require firms to adopt written cybersecurity policies and procedures in 12 areas, including customer data privacy and network security. Firms would also have to develop policies to require that outside service providers also keep data secure.

The planned measures follow surveys that NYDFS conducted between 2013 and 2015 about cyber security programs of companies it regulates. An April report, for example, revealed that one-third of the 40 banks NYDFS had surveyed in 2014 did not require outside vendors to notify them of data breaches, which could compromise bank data.

Firms, if the measures are adopted, would have to conduct annual testing and auditing of their cybersecurity systems. Each firm's chief information security officer would also have to submit an annual report to NYDFS, informing the regulator of possible vulnerability to risks.

NYDFS has been mulling potential regulations for more than a year. Benjamin Lawsky, the agency's former superintendent, discussed the issue at a Reuters Financial Regulation Summit in May. — Reuters
Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

U.S. lawmakers say some fintechs failed to prevent 'obvious' pandemic fraud
U.S. CFTC chairman says met with former FTX chief 10 times over clearing application
Exclusive-Meta sought to settle EU antitrust investigations, sources say
U.S. Justice Department weighs new guidance on messaging apps, clawback policies -official
Salesforce shares tumble after surprise exit of co-CEO Taylor
FTX ex-CEO Bankman-Fried says he did not know of improper use of customer funds -ABC News
India's digital rupee fails to excite interest, bankers say
Netflix to let more subscribers preview content - WSJ
US Amazon facility shows off robots built for faster deliveries
Google says hacking tools are likely tied to Spanish firm

Others Also Read