From: Lexology
John F. Libby and Jacqueline C. Wolff | Manatt Phelps & Phillips LLP
Why it matters: The New York State Department of Financial Services—or DFS—was created in 2011 from two previously separate state agencies to regulate banks and other financial institutions subject to New York insurance, banking and financial services laws. The Financial Crimes Enforcement Network—or FinCen—is part of the U.S. Department of Treasury and was created in the early 1990s as a collector and repository of financial intelligence with added regulatory and enforcement capabilities. FinCen’s mission is to “follow the money” in its attempts to stem criminal financial activity. In recent years, the DFS and FinCen have increased their respective profiles in the area of enforcement, joining the DOJ and SEC as primary financial crimes enforcement agencies. A recap of both agencies’ activities from late-2015 foreshadows a trend for 2016 and beyond. Read on for the details.
***
- November 9, 2015—”Potential” new cyber security regulation requirements “aimed at increasing cyber security defenses within the financial sector”: In a memo to the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of Financial Services Anthony J. Albanese states that DFS “considers cyber security to be among the most critical issues facing the financial world today—and one that poses a particular challenge to regulatory agencies.” The agency’s hope is that the memo to fellow financial agency regulators would “help spark additional dialogue, collaboration, and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.” The memo states that, to this end, it is inviting feedback from FBIIC members on “key regulatory proposals” currently being considered by DFS for the institutions under its authority, including the requirements that “covered entities” (1) adopt, implement and maintain (i) written cyber security policies and procedures covering the areas set forth in the memo, (ii) policies and procedures ensuring the security of sensitive data accessible to third-party service providers and (iii) written procedures, guidelines and standards “reasonably designed” to ensure security of all applications utilized by the entity; (2) adopt procedures to implement multifactor authentication for access to both internal and external systems; (3) designate a Chief Information Security Officer (CISO) who would be responsible for (i) overseeing, implementing and enforcing the entities’ cyber security policies; (ii) filing board-reviewed annual reports with the DFS assessing the strength of the cyber security program and the cyber security risks to the entity; and (iii) reviewing on an annual basis the entities’ application security procedures; (4) employ personnel “adequate” to manage the entities’ cyber security risks and provide mandatory ongoing training so that such personnel is able to “stay abreast” of changing cyber security threats; (5) conduct annual “penetration testing” and quarterly “vulnerability assessments” and maintain an “audit trail system”; and (6) immediately notify the DFS of any cyber security incident that has a “reasonable likelihood” of materially affecting the normal operation of the entity.
Read Complete Article
Leave a Reply