Screen Shot 2017 02 06 At 10.43.28 AM

New York Revisits Cybersecurity Laws for Financial Services

Online threats and Internet security issues are evolving fast and continue to become more complex each year. With constant changes in security, and as hackers find new ways to gain access to data, regulators in cybersecurity must also revise their initiatives to ensure appropriate protection for individuals and organizations. New York officials recently revamped their cybersecurity regulations to address some of these changes.


The goal was to keep the foundation of the current cybersecurity laws intact, but make the much needed additions and changes that would take into account the way the Internet and security are evolving – as well as how they are expected to progress in the future. One of the main changes was to include more flexibility for organizations to be able to customize the way they handle their own cybersecurity and user data. Every organization is different and even if they maintain similar data to another institution, they must be able to protect data in their unique environment while still maintaining the standards laid out by federal regulations for financial institutions.


Many cybersecurity issues are caused by organizations being reactive rather than proactive to their online security issues. The new regulations require all financial institutions to perform a risk assessment prior to any attacks. Previously, organizations would react to an attack and then perform a risk evaluation to identify the likelihood of any future attacks being successful. Now, they must perform this assessment prior to any attack, which creates a better foundation for protection against future threats.


Not only are financial institutions required to perform early assessments, they are also required to perform periodic risk assessments. These are not a template of the same tasks carried out without consideration of the unique aspects of the entity. Instead, the institution must create tests and procedures that are customized and molded to their specific cyber needs. This includes both outside protection as well as protection from internal threats – a rising concern for many companies and individuals.


One interesting change is that encryption is no longer required. Instead, an organization is given an opportunity to determine what data is in motion and what must be encrypted during transit. The opportunity for the chief information security officer (CISO) to customize encryption and security procedures is part of the new design for flexibility in cybersecurity.


Even with its flexibility, it’s important for every CISO to perform a thorough risk assessment to identify any issues with current security procedures, and protect data from threats even if these threats are current employees. The new regulations make it much easier for organizations to determine their own threats rather than being forced to use a template that might not cover their own individual security threats.




  • Download latest cyber security report
  • Register for our free 2 week digital health check