Proposed new cyber security regulations will be a huge undertaking for financial institutions
11 November 2015
Joan McGowan
New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call "pump and dump" manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Incident response, including by setting clearly defined roles and decision making authority