This article was written by Christopher Salone, CISA, CCSFP, MBA
As another year passes, more cybersecurity laws and regulations for financial institutions are proposed and or updated. Let’s recap the last twelve months and look at some of the most impactful cyber regulatory updates that, whether coming soon or are now in effect, will need to be considered by your Management teams.
Federal Incident Reporting Requirements
While reporting a data breach or cyber-attack has thus far mostly been enforced at the state level, federal regulators have now implemented incident reporting requirements for governed institutions.
Effective May 1, 2022, the Federal Deposit Insurance Corporation (FDIC), issued a rule requiring any FDIC insured financial institution to notify its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident.’’ The Federal regulator must be notified as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to inform each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
Similarly, the NCUA has approved a final rule that requires federally insured credit unions to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. The rule is effective September 1, 2023,
New York Department of Financial Services – Amendments to Part 500 Cyber Security Regulations
New York State Department of Financial Services (NYSDFS) has proposed several changes to the existing 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). They include items such as:
Classification of “Class A” companies, which are those with over 2,000 employees or over $1 billion in gross annual revenue (as an average over three years). These Class A companies will need to meet new requirements such as annual independent audits and risk assessments, new password expectations, more frequent vulnerability scanning and more.
Definition of a “Covered Entity”, which means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, including entities that are also regulated by other government agencies.
- Increased expectation of CISO independence and reporting to the Board.
- New requirements for Asset Inventorying and the policies and procedures that support the program.
- Multifactor authentication for all privileged accounts.
- New reporting requirements for extortion payments and ransomware events.
FFIEC Updates Its Cybersecurity Resource Guide For Financial Institutions
On October 3, 2022, the Federal Financial Institutions Examination Council (FFIEC) released a new version of the Cybersecurity Resource Guide for Financial Institutions.
The resource guide is a valuable tool for financial institutions of all sizes as it provides best practices, recommendations, and resources to help organizations protect their networks and data from cyber threats. The guide also serves as an educational resource on the latest security technologies.
Updates to the Gramm-Leach Bliley Act Cybersecurity Requirements
Effective in June, the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule), which is a component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers.
The changes to the Safeguards Rule expand on the minimum information security requirements that should already be in place at participating institutions and their third-party servicers, including the following:
- Appointing a qualified individual to oversee and implement the information security program
- New criteria for risk assessments
- New technical controls for implementing safeguards such as access controls, data loss prevention, encryption, etc.
- Monitoring and penetration testing
The updates to the rule also expands the definition on what could be considered an “Institution”, including those that engage in the following: (1) traditional banking functions; (2) making, brokering, or servicing extensions of credit; (3) property appraising; (4) collection services; (5) credit reporting; (6) asset management; (7) leasing property; (8) real estate settlement; and (9) bringing together buyers and sellers of any product or service that the parties negotiate and consummate.
As you consider and navigate these changes, The FoxPointe Team is ready to answer any questions, support you and your clients’ needs, from vCISO to general consulting to risk and gap assessments &More.
Links to each rule and update:
FDIC Computer Incident Notification Rule
NCUA Cyber Incident Notification Requirements