The new law among other things “includes requirements that financial and insurance institutions retain a CISO, report cybersecurity incidents within 72 hours and use multifactor authentication.” On February 17, 2017 BankInfoSecurity.com reported a story entitled “Breach Preparedness , Compliance , Cybersecurity Reworked N.Y. Cybersecurity Regulation Takes Effect in March” which included these comments:
…organizations must develop a cybersecurity program, including a written policy that addresses aspects such as access controls, business continuity, asset inventory and data governance.
The CISO must send a report at least annually to the organization’s board of directors, the new regulation states.
The cybersecurity program must include a periodic risk assessment plus annual penetration tests.
Encryption must be used for data in transit and at rest, the new regulation states.
72 hours will be a real challenge and time will tell if the new regulations will work successfully.