New Cybersecurity Requirements for the Financial Service Industry – Is California Next?

In the wake of the 81 million dollar theft from the Central Bank of Bangladesh and recent breaches stateside, lawmakers have aggressively begun to enact stringent cybersecurity standards across the nation. When the New York Department of Financial Services (NYDFS) issued a binding term sheet that took effect in March, it is now considered a matter of time before others states are required to follow this directive. So who’s next? The smart money is betting on California.

Is California Next?

California, long considered the poster child for early adoption of all things technology, is the strongest candidate for next in line. While NYFDS took a hard line, Californian legislation is expected to institute a “best of breed” set of cybersecurity standard for financial service companies. Pundits have suggested that as the host state to Silicon Valley, California’s imposed regulations may set the tone for the rest of the nation. Although New York was instrumental in getting the proverbial party started, California is expected to take it next level.

In New York, companies have six months to meet the legislated standards, while speculation suggests that the turnaround time to compliance for follow on states may be less. Given the scramble that mid-tier and boutique businesses in New York are still mired in, getting the jump in finding the right company to meet lawmakers requirements is paramount. With such valuable data needing to be secured, it’s important to work with a company that you can trust.

Despite lax regulation in the past, Gotham Security has always exceeded compliance standards. Given that new regulations are being enacted and quickly enforced, Gotham’s clients breathe easier, knowing their data is secure and adheres to or exceeds, regulatory standards.


In anticipation of California’s potential security overhaul, let us revisit some of the mandates that the State of New York instituted under Title 23 of the Official Compilation of Codes, Rules and Regulations back in March. It is prudent speculation to expect California companies to implement at least the following procedures:

  1. Companies must assess their specific risk profile and design a program that addresses risks in “robust” fashion.
  1. Senior management will be responsible for their cybersecurity programs.
  1. Annual certification confirming regulatory compliance.

Firms must also be compliant with the following:

  1. Encrypt sensitive data and appoint a CISO (Chief Information Security Officer- virtual, remote, third party or in-house).
  1. Protect electronic information- public and nonpublic.
  1. Annual Penetration testing.
  1. Bi-annual vulnerability assessments.
  1. Written incident response plans, data access limitation controls and employee training programs.

A security breach can cost a firm millions in lost clients, stolen data, lawsuits, and insurmountable damage to that firm’s reputation. The importance of investing in the right firm to address your business’ needs cannot be overstated.

It should be noted that mere compliance does not guarantee security. Working with an experienced cybersecurity team to ensure your business and its data are safe is an imperative. With a spotless track record, Gotham Security’s team is committed to keeping your company’s data secure. Is your company’s cybersecurity compliant with the new regulations?


Click below to learn more and contact us!
Learn More Button | Gotham Security