The NYDFS and the risk assessment

Banks are prime targets for cyber criminals. Financial services organisations suffered 52 data breaches last year, according to figures from the Identity Theft Resource Center, and 72,000 records were compromised. With the number of cyber attacks rising across the US, the New York Department of Financial Services (NYDFS) has responded.

As we previously discussed, the NYDFS has passed new, rigorous cyber security requirements for banks, consumer lenders, money transmitters, insurance companies and other financial service providers (i.e. ‘Covered Entities’). The requirements are currently in a 180-day transition period.

Under the Cybersecurity Requirements, one of the first things Covered Entities need to do is perform a risk assessment, as outlined in section 500.09 of the Regulation.

Are you prepared?

The NYDFS’s Cybersecurity Requirements emphasise the fact that any organisation’s cyber security policy should be based on the findings of its own risk assessment. This assessment must tackle the key issues that the NYDFS highlighted throughout the proposal process.

In an article covering the Regulation in full, the Harvard Law School Forum summarises the role the risk assessment should play in the following areas:

  • Penetration testing and vulnerability assessments should be tailored towards the risks and vulnerabilities identified in the risk assessment. The only time testing is not necessary is if the entity maintains “effective continuous monitoring, or other systems to detect, on an ongoing basis, changes […] that may create or indicate vulnerabilities”.
  • Audit trail systems should be based on the risk assessment.
  • Access privileges to systems that provide access to ‘Nonpublic Information’ should be limited based on the findings of the risk assessment.
  • Security policies and procedures accessible to third parties will depend on applicable facts as well as the risk assessment.
  • Multi-factor authentication should be implemented if deemed necessary by the risk assessment.
  • Encrypting ‘Nonpublic Information’ or employing alternative compensating measures should be determined based on the risk assessment.

Conducting risk assessments

If you want to learn more about risk assessments and the NYDFS, you should register for the following free webinar: NYDFS – a guide to risk assessment. Delivered in partnership with IT Governance, the webinar will cover the importance of the risk assessment and the ideal timeframe for conducting it, and will include a live demonstration of vsRisk™, our risk assessment management tool.

The webinar will be delivered on 12 July 2017, from 6:15 pm (BST).

Register today >>

Leave a Reply

Your email address will not be published. Required fields are marked *