There are reportedly 493 roller coasters spread around the US. One of those on New York's Coney Island, is historic and known as the Cyclone. There is nothing like eating a classic Nathan's hot dog and strolling the boardwalk, before or after you ride this summertime attraction. When it comes to the roller coaster of banking, however, NY has cyber risk on its mind these days.
New York Governor Cuomo recently issued proposed cyber security regulations for banks in the state to follow and other states may use this as a template so we raise awareness here. At the heart of the new regulations is a desire to protect consumers and the state's financial system, amidst the growing problem of cyber-attacks targeting financial institutions.
The proposed rules compel financial institutions of all sorts to take the necessary steps to construct and secure their systems against potential harm from terrorist networks or other criminal organizations. The rules also require institutions to perform regular risk assessments of their systems and to certify that they are complying with the rules each year. Though the new rules will create an additional level of regulation for financial service firms, New York's Department of Financial Services says that it took careful steps to ensure that any new regulation would not impede innovation within the banking industry. The regulator argues that the new rules merely ensure that financial institutions are keeping up with technological advancements.
Also under the proposed rule, financial institutions would be required to have a robust cyber security system in place. That system would also have to be led by an executive officer. Other requirements include: creating a cyber security program; putting cyber security policies in writing; designating a chief information security office (tasked with implementing, overseeing and enforcing the organization's cyber security program); and establishing policies and procedures to ensure the security of any information systems or nonpublic information that is accessible or held by third party providers.
Further, the new rules require financial institutions to notify New York's Department of Financial Services of any data breaches within 72 hours.
As we indicated at the outset, many regulators across the country are working on additional cyber security rules, so some of this could also be absorbed into those ultimately.
For community bankers, any additional regulation comes at a high cost. To help, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has made resources available to community banks in this area. For just $250 per year, banks with less than $1B in assets or less than $10mm in revenue can subscribe to weekly cyber updates.
Yet another resource for community banks when it comes to cyber is the US Computer Emergency Readiness Team (US-CERT). US-CERT is part of the Department of Homeland Security and it provides publications and educational materials, along with subscription alerts.
Suffice it to say that the ever changing world of cyber risk continues to go up and down, so community bankers will have to hold on as the industry car continues to take some curves fast enough to make even the strongest a bit queasy at times.