With October being National CyberSecurity Awareness Month, now is a good time for financial institutions to take a hard look at their own information security and privacy practices. As we all know, privacy and protection of customer information is a duty of every employee of the institution. As a compliance officer or auditor, your role is to make sure your institution complies with the myriad rules, regulations, policies and procedures applicable to you. In addition to assuring compliance you are tasked with assessing the adequacy of those policies and procedures. Since most states have been slow to enact specific cybersecurity legislation (other than incident response requirements) you are mostly concerned with federal laws like GLBA, BSA, FACTA, etc. However, there is one state that has been proactive and actually took action in 2017. The NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES enacted 23 NYCRR 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES on March 1, 2017. This CRR is an excellent document for compliance officers/auditors to use as a checklist for assessing the adequacy of their own information security policies and procedures. If your state does not have a similar law or regulation, I suggest you take a look at the complete New York cybersecurity regulation 23 NYCRR 500 at www.dfs.ny.gov
In the mean time we’ve created a brief summary of the key components of the regulation:
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.
For more information on cybersecurity education and awareness training, visit ThreatAdvice
, Springhouse Compliance's sister company. Want an idea on where your bank stand as far as current cybersecurity awareness? Request your complimentary Phishing Report