One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 460880 |
| Date de publication | 2018-01-26 14:00:00 (vue: 2018-01-26 14:00:00) |
| Titre | NY State Department of Financial Services New Cybersecurity Regulation – CISO Attestation Due Feb 15 |
| Texte |
The first New York State (NYS) Department of Financial Services (DFS) CISO Attestation is due on February 15th.
Last year, the NYS DFS enacted a new cybersecurity regulation that affects all financial companies that conduct business in the State of New York.
The regulation is targeted towards financial companies that conduct business in New York State. A "Covered Entity" means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of the State. A company need not be domiciled in the State to be subject to the regulation. (Very similar to how GDPR is set up.)
Financial institutions include banks, money managers, and insurance companies. There are exceptions, but they are quite limited (based on institutional income and employee count). The impact of this regulation is very broad.
In previous articles, I discussed the evolution of the regulation, as well as some of the important milestones that must be achieved in order to achieve compliance with the regulation.
The first milestone date passed back in August, and now, the next important milestone is looming whereby the designated CISO of each financial organization must file the first certification of the organization’s compliance with the regulation.
The regulation includes the letter that must be filled out and filed with the Department of Financial Services. It is a simple, somewhat inelegant form, but it packs a powerful legal punch in that the CISO is attesting that the regulation is being followed. This means that your organization must have implemented the six items required in the first milestone.
The reason why this simple form is so powerful is due to the undefined enforcement powers of the regulation. The exact language states: “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. To a tech person, those sound like some very broad enforcement powers.
One has to wonder if enforcement will be limited to prevention of a non-compliant business from conducting operations in New York, or perhaps they can be as harsh as those prescribed in the GDPR, which becomes effective in May. Cybersecurity has now gone very mainstream and become very serious.
Now is a good time to review if your organization has stayed on track with the regulation’s milestones. Please also note that the next milestone is March 1st.
Many of us in the InfoSec community anticipated that this new era of cybersecurity regulation was on the way. However, now is not the time for any “I told you so” smugness. Remember, it is our job to guide organizations about how to meet the requirements of these new regulations. Remember, if you are not the CISO, then you are probably responsible for making the CISO’s job easier. Let your expertise lead |
| Envoyé | Oui |
| Condensat | “i “this 15th 1st about accreditation achieve achieved affects all also anticipated any applicable are articles attestation attesting august authority authorization back banking banks based become becomes being broad business but can certificate certification charter ciso ciso’s community companies company compliance compliant conduct conducting count covered cybersecurity date department designated dfs discussed domiciled due each easier effective employee enacted enforced enforcement entity era evolution exact exceptions expertise feb february file filed filled financial first followed form from gdpr get gone good guide harsh has have how however impact implemented important include includes income inelegant infosec institutional institutions insurance intended items job language last law laws” lead legal let letter license like limit limited line looming mainstream making managers many march may means meet milestone milestones money must need new next non not note now nys one operate operating operations order organization organization’s organizations out packs passed perhaps permit person please powerful powers prescribed prevention previous probably punch pursuant quite reason registration regulation regulation’s regulations remember required requirements responsible review serious services set sign similar simple six smugness so” some somewhat sound state states: stayed subject superintendent superintendent’s targeted tech then these those time told towards track undefined under very way well whereby which why will wonder year york your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.