Financial institutions learn about new cybersecurity regulations

May 16, 2017
Originally published on May 16, 2017 10:59 am

Just days after a global cyberattack paralyzed computers in 150 countries, representatives from local financial institutions are learning about sweeping new cybersecurity regulations in New York State.

A seminar in Rochester this morning focused on the new regulations that went into effect March 1 requiring banks and other financial services institutions to, among other things, maintain minimum security standards for technology systems that are adequately staffed, and a plan to respond to cyber breaches and preserve data. 

When it comes to ransomware, as seen in the worldwide WannaCry cyberattack launched last Friday, some companies give into the cyberattackers' demands for money.

But attorney John Horn, who specializes in privacy and data security, says that decision comes with its own risks.

"When this hits a health care provider or other folks who are on the first line of defense where people's health and safety are concerned, you can certainly understand that decision, but at the end of the day, you have no assurance that the very same ransomware attack isn't going to be recreated the next day and ask for even more money."

Horn, a partner with the law firm Harter Secrest & Emery LLP, said it's up to leaders to create a culture of data security within their organization.

"Your people are the first and last line of defense for that. They need to be conversant in the nature of the risks, in the responsibility that they've been entrusted with by customers who are turning over their confidential information, and the best ways to identify those who would do harm to the organization and to the individual customers."

In the event of a cyberattack, Horn said vendors or service providers may be partly culpable for stolen data, but it is ultimately the company that collected the personal information from its customers that will be held accountable.