New York state will be the first in the nation to implement its own set of cybersecurity regulations for banks, insurance companies and other financial institutions operating under DFS scrutiny to ensure the safety of consumers and financial records.
DFS has mulled over the plan throughout this year, making adjustments following a 45-day comment period that ended in mid-November. The updated proposal was released Wednesday. Changes could still occur before the plan goes into effect March 1, 2017. Financial institutions will have six-months to comply.
The DFS plan includes a number of cyber security measures that financial institutions will be required to follow, including periodic risk assessment of cyber security programs, encryption of non-public information, and the development of an incident response plan. Institutions must also designate a chief information security officer to oversee all cyber security program operations as well as establish policies that ensure third party security providers are accountable for such programs.
Scott M. Pooler, Vice President & Chief Information Officer of Watertown Savings Bank, said the bank follows many of the policies included in the state’s plan. The bank follows similar cyber security guidelines set by the Federal Financial Institutions Examination Council. Therefore, he said, the bank will not have to significantly update its security program.
“For us, I don’t anticipate a huge financial burden,” Mr. Pooler said, adding that the bank already uses a “multi-layered” approach to cyber security that utilizes multiple tools and third-party providers. Mr. Pooler said the Watertown Savings Bank will take the necessary steps if there are any new requirements set by the state.
Mr. Pooler noted that while the new guidelines may not have a drastic effect on banking institutions, smaller companies may have a harder time adjusting to the requirements. For instance, the plan’s encryption requirement, he said, could be complicated, as it could involve the hiring of outside expertise to implement a complex system.
Thomas H. Piche, CEO of Carthage Federal Savings & Loan Association, said his bank is also up to par on cyber security, but additional measures will be installed if they are required by the state.
“It’s typically money well spent,” Mr. Piche said. “A breach could be a lot more expensive.”
The DFS plan will be finalized following a 30-day notice and public comment period.
©2016 Watertown Daily Times (Watertown, N.Y.) Distributed by Tribune Content Agency, LLC.
