There is no shortage of guidance and frameworks for dealing with the risk of data breaches and fending off would-be hackers. What there hasn’t been, until now, is an industry-wide set of rules comparable to what New York’s Department of Financial Services has in store for financial institutions that fall under its oversight.
The agency’s regulations will impose a host of new security, personnel, attestation, and reporting requirements ...
Although the rule was not yet final prior to Thanksgiving Day, there is no indication that its deadlines will change, including an anticipated effective date of Jan. 1, 2017. That doesn’t give institutions very much time to achieve compliance if they need to make substantial changes, says Tim Newman, an associate with law firm Haynes and Boone. There are also ambiguities in the regulation.
For example, what, exactly, constitutes “sufficient” personnel to manage the needs of an institution? “For the larger institutions, it is yet another regulation for them to certify compliance with, and in that regard, it is a bit burdensome,” Newman says. “Some of the technical requirements, like encryption and multifactor authentication, may be more far-reaching than what some of the larger institutions are already doing. The smaller institutions—the ones that aren’t quite small enough to fit the exemption thresholds—are going to be the ones to really feel the squeeze.”
Excerpted from Compliance Week. To read the full article, please click here (subscription required).
