The Department of Financial Services (DFS) rules (23 NYCRR 500) go into effect on March 1, 2017. Though similar to previous cybersecurity regulations, some sections stress the need for ongoing training for cybersecurity professionals.
For example, the Cybersecurity Personnel and Intelligence section mentions that involved entities shall utilize qualified cybersecurity personnel, provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
Given the pervasive nature of the cybersecurity skills shortage, financial services organizations operating in New York State may struggle to meet these obvious and basic cybersecurity requirements, according to Network World. Still, they can get around these requirements by transferring risk to “an Affiliate or qualified Third Party Provider.”
Commenting on this regulation, David Vergara, VASCO Data Security said: “In recent time, the regulatory pendulum has begun to swing in favour of a “lighter” approach for banks, financial services and for other industries too, for that matter. It’s good to see, however, that good sense regulations like this one have survived to offer additional consumer protection via thorough evaluations of third party vendors, comprehensive risk assessments and advocacy for stronger multi-factor authentication.”
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now