Last week, New York Governor, Andrew Cuomo announced new proposed state regulation for banks, insurance companies, and other financial institutions. In doing so, New York would become the first state in the nation with such regulation.
Citing the need to protect consumers and the financial industry itself from cyber attacks, NY officials are describing the new Department of Financial Services regulation as groundbreaking.
And while I wouldn't describe it as "groundbreaking", there are several key take-aways:
- Requirement for all institutions to designate a qualified CISO (Chief Information Security Officer)
- Requirement for the CISO to report twice per year to the board on the cybersecurity program status
- Requirement for encryption of all Non-Public Information, both in transit and in storage
Obviously, if you are in New York, this could have an impact on your financial institution by year end. But what impact does this have on banks and credit unions in other states?
My guess is that we'll see other states follow suit in the not so distant future, and we may even see the FFIEC cherry-pick some of the requirements from the NY regulation for their own guidance and/or regulations.
The good news is that most banks are already doing most of what NY is describing as groundbreaking.
But the one trend that I do see is the consistent reinforcement of the need for strong leadership from an experienced CISO, and that is one area that many community financial institutions are lacking.
Because cybersecurity starts at the top, banks and credit unions need to take the CISO role more seriously. Until they do, we will continue to see a push from regulators and lawmakers to nudge, or even force them in that direction.
If your bank doesn't have an independent, qualified CISO, it may be time to start looking for one or to even begin considering alternative options to fill that role.