Light Dark
January 4, 2017 By Mark Samuels 2 min read

The New York State Department of Financial Services (DFS) published a new cybersecurity regulation for firms operating in the financial sector. The proposal could have serious ramifications for IT decision-makers and their peers.

Financial Services Superintendent Maria T. Vullo revealed the updated plan at the end of 2016. The updated proposal spans 14 pages and includes a range of modifications from the initial plan released last September.

This cybersecurity regulation covers a series of best practices, from annual certification to executive sponsorship. The regulation highlights the importance of paying attention to governance concerns, particularly with regard to information security leadership.

New Responsibilities for IT Leadership

The original plan set a deadline of Jan. 1, 2017, for compliance with the new DFS cybersecurity regulation. Banks, insurance companies and other finance firms will now have until March 1 to meet the requirements of the proposal.

As part of the proposal, finance firms must create annual reports that cover material cybersecurity events. These documents must be accepted by the board and appropriate certification forwarded to DFS.

Cybersecurity leadership forms another key tenet of the regulation. Finance firms would need to employ a chief information security officer (CISO) to comply with DFS requirements.

An Adjustment Period

The newly proposed regulation provides financial institutions with more flexibility than the original plan. The adjustments were made after a period of consultation. An additional 30-day comment period will run before the new proposals are enacted in March.

Under the new proposals, firms have 72 hours to report a breach from the time it is discovered. In the original plan, firms had to report within 72 hours of the breach itself.

The original regulation also cited a six-year retention period for data. After consultation, the agency determined that the collection of data could create a bigger potential target for cybercriminals and reduced the retention period to five years.

Cybersecurity Regulation Presents New Challenges

Some influencers believe organizations already face too many compliance requirements. SecurityWeek reported that some experts believe regulations actually take IT specialists away from front-line defense work. Additionally, firms will likely struggle to appoint CISOs per the DFS requirement, as the role of the CISO remains poorly defined.

This anomaly exists because few businesses treat security as an individual line item. Employees with little security expertise too often undertake processes critical to cyberdefense. As a result, many CISOs lack insight into security investments across the enterprise.

 |  |  | 
Mark Samuels
Tech Journalist

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature