<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=522217871302542&amp;ev=PageView&amp;noscript=1">

News & Events

How to Prepare for More State Regulation of Data Security

How to Prepare for More State Regulation of Data Security

Regulation around personal data protection is a growing trend, so financial institutions should prepare for more regulatory compliance responsibilities.

Because of the recent spate of data breaches exposing sensitive user data, more consumers are calling on local, state, and federal governments to protect them. This could put your organization in the crosshairs of current and upcoming data protection legislation.

We’ve seen two major instances of data protection legislation that may change the landscape of data protection reporting requirements for your financial institution: General Data Protection Regulation (GDPR) and New York State’s recent cybersecurity regulations.

International Regulations Hit Home: GDPR requires companies — regardless of their location — to protect the data of EU citizens. This widespread scope means that organizations must add controls for GDPR compliance.

New York Influences the Nation with Cybersecurity Rules: New York State Department of Financial Services (DFS) enacted 23 NYCRR Part 5001, a landmark regulation establishing cybersecurity requirements for financial institutions that went into effect in February 2017. Banks, insurance companies, and other financial firms are required to carry out a cybersecurity program in accordance with the requirements set forth in the regulation.

Earlier this year, New York’s DFS issued an update to its cybersecurity regulation FAQs, ‘strongly encouraging’ financial institutions to voluntarily adopt the regulation’s cybersecurity protections regardless of whether or not they’re covered by the regulations.

With New York’s recent cybersecurity regulations and their proactive efforts around data security, other states are taking notice. They’re following New York’s lead, issuing rules at the state level to protect consumer data.

More States Consider Cybersecurity Laws — Is Yours

on the List?

More States Consider Cybersecurity Laws — Is Yours on the List?

In 2017, at least 42 states introduced more than 240 cybersecurity-related bills or resolutions, according to the National Conference of State Legislatures. Some of the key areas covered by these laws include targeting computer crimes and restricting public disclosure of sensitive security information.

Other States with Notable Legislation Affecting Financial Institutions

Vermont (already in effect): Vermont’s Department of Financial Regulation2 required securities professionals — those providing investment-related services such as agents, broker-dealers, investment advisers, and solicitors — to “establish and maintain written procedures reasonably designed to ensure cybersecurity.”

Colorado (in the legislative process): The Colorado Division of Securities issued cybersecurity rules3 applicable to broker-dealers and investment advisers. The state is also considering privacy and cybersecurity legislation4 that would change how Colorado entities protect personally identifiable information.

Moreover, the National Association of Insurance Commissioners adopted the Insurance Data Security Model Law5 which closely resembles the New York cybersecurity regulations. The model law outlines requirements that agents, insurers, and other licensed entities must comply with in establishing their cybersecurity program.

With constantly evolving regulations, how can your organization keep pace? Here are best practices you can follow to ensure the security of your customers’ data.

Data Security Best Practices for Financial Institutions

Data Security Best Practices for Financial Institutions

Protecting customer data while still abiding by legal rules is essential for financial institutions. Follow these best practices to keep cybersecurity threats at bay:

  • Carry out regular cybersecurity awareness training for employees. Awareness is one of the best forms of defense against cybersecurity threats, so it’s important to train your staff to keep data safe.

  • Audit your applications and third-party service providers. Frequent audits of the applications used within your organization can point out any configurations or settings that can lead to data breaches. Including third-party service providers in your audits can also ensure that their cybersecurity policies are in line with your institution.

  • Perform robust penetration testing and vulnerability assessments. When conducting your annual pen test, be sure to identify weaknesses not only on your internal and external network controls but also on any new technologies you’ve implemented, such as additional hardware, new software, or updates to existing features. Prioritize any findings based on their relevance to your organization so you can make the necessary remediations as soon as possible.  

  • Conduct continuous monitoring. Employ a variety of technical and procedural controls, systems, and tools to detect any changes or events that may indicate malicious activity.

  • Evaluate your risk assessment program throughout the year. A periodic review of your risk assessment program is crucial to respond to evolving threats. Analyze any attacks on your systems and use that to inform the design of your program. These evaluations are also a chance to revise your security controls based on recent technological developments.

  • Update your incident response plan regularly. This plan will be used to respond to and recover from cybersecurity attacks, so make sure to constantly update it based on new threats.

  • Implement multi-factor authentication or risk-based authentication to protect against unauthorized access. This should apply to employees accessing your institution’s internal network from an external network or from other devices. Additional authentication factors are also necessary when gaining access to sensitive information.

State regulations are evolving to protect the data of their citizens. By keeping updated with changes in legislation and taking steps to secure customer data, you’ll always be prepared for cybersecurity threats.

Trust DataComm to help your financial institution remain in compliance with state, federal, and international data protection regulations. We offer audit and compliance services to determine the effectiveness of your institution’s controls and guide you in assessing and managing risk. Our comprehensive penetration testing and vulnerability scanning can also discover any weaknesses in your systems before they’re exploited. Get in touch with us today to learn more about how we can help you.


New Call-to-action


1 https://www.dfs.ny.gov/legal/regulations/adoptions/adoptdfs.htm

2 http://www.dfr.vermont.gov/reg-bul-ord/vermont-securities-regulations

3 https://www.dlapiper.com/en/us/insights/publications/2017/07/colorado-adopts-new-cybersecurity-rules/

4 https://www.natlawreview.com/article/update-colorado-s-proposed-privacy-and-cybersecurity-legislation

5 https://corpgov.law.harvard.edu/2017/08/30/naic-adopts-model-cybersecurity-law/

This entry was posted in network security, audit and compliance, consultation

For More Information, call 1-800-544-4627, or Contact Us