What We Think

If You Work in Financial Data and Haven’t Read New York State’s New Cybersecurity Regulations, Do It Today


If you transact sensitive data with or provide third-party services to banks or other companies that handle a lot of electronic payments, chances are you have a client or two based in our nation’s financial capital. That’s why you need to take a look at the newly revamped cybersecurity rules released by the State of New York’s Department of Financial Services, because they’re no longer limited to the Big Apple’s banks—they’ve been expanded to cover their data-related vendors as well.

The state’s move wasn’t entirely unexpected, and regulators made it with good reason: A chain is only as strong as its weakest link, and in recent years third-party vendors have presented an increasingly tempting target to data thieves and other cyber criminals.

Many of the new requirements are no-brainers for traditional financial services and fintechs, like the creation of a written cybersecurity contingency plan and the appointment of a chief information security officer. Some are less obvious, but fall squarely within Copper Squared’s portfolio of services. Here are a few examples:

Frequent Penetration Testing and Vulnerability Assessments

The New York rules call for financial institutions and the vendors that handle their sensitive data to perform annual penetration testing of their systems (if not continuous penetration monitoring), along with biannual vulnerability assessments designed to identify all publicly known cybersecurity risks.

Cybersecurity Training and Verification

Entities covered by the new rules must not only employ cybersecurity personnel who are qualified under the agency’s parameters, but also provide them with the training necessary to update them on the latest risks and regularly verify that knowledge.

Periodic Data Purges

Companies must create policies for the secure disposal of what the agency defines as “nonpublic information” that’s no longer necessary for business purposes or the compliance with some other law, and must follow through with it on a regular basis.

As you might imagine, there are a handful of exceptions to these rules—loopholes for the smallest institutions and vendors, essentially—but New York’s new regulations are worth reviewing nonetheless. They provide a good baseline for any organization transacting sensitive data as security becomes a bigger concern. Other states are sure to follow suit.

Copper Squared on Twitter