Shortly after the National Futures Association (NFA) announced that it will tighten the requirements regarding cyber security for all of its members, including Forex brokers, another US regulator is considering new cyber security requirements.
The New York State Department of Financial Services (NYDFS) has sent an official letter to Financial and Banking Information Infrastructure Committee (FBIIC) members, including institutions like the Commodities Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC). The letter outlines NYDFS’s plans to boost cyber security defenses within the financial sector.
The letter presents several key regulatory proposals that the New York financial regulator is currently considering and invites feedback on this proposals.
Cyber Security Policies and Procedures
Covered entities would be obliged to implement and maintain written cyber security policies and procedures that address the following areas:
(2) data governance and classification;
(3) access controls and identity management;
(4) business continuity and disaster recovery planning and resources;
(5) capacity and performance planning;
(6) systems operations and availability concerns;
(7) systems and network security;
(8) systems and application development and quality assurance;
(9) physical security and environmental controls;
(10) customer data privacy;
(11) vendor and third-party service provider management;
(12) incident response, including by setting clearly defined roles and decision making authority.
Third-party Service Provider Management
Each covered entity will have to implement and maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party service providers. The policies and procedures would be required to include internal requirements for minimum preferred terms to be included in contracts with third-party service providers, including provisions requiring:
(1) the use of multi-factor authentication to limit access to sensitive data and systems;
(2) the use of encryption to protect sensitive data in transit and at rest;
(3) notice to be provided in the event of a cyber security incident;
(4) the indemnification of the entity in the event of a cyber security incident that results in loss;
(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor;
(6) representations and warranties by the third party vendors concerning information security.
Multi-Factor Authentication
Covered entities will have to implement multi-factor authentication for all access to internal systems and data from an external network.
Chief Information Security Officer
Each covered entity would be required to designate a qualified employee to serve as its Chief Information Security Officer (CISO).
Cyber Security Personnel and Intelligence
Each covered entity would be required to employ personnel to manage the entity’s cyber security risks and to provide mandatory training to cyber security personnel.
Audit
Each covered entity will have to conduct annual penetration testing and quarterly vulnerability assessments.
Notice of Cyber Security Incidents
Each covered entity will be obliged to immediately notify the Department of any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident:
(1) that triggers certain other notice provisions under New York Law;
(2) of which the entity’s board is notified;
or (3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.
You can view the full letter from the NYDFS by clicking here.