New York is launching a new regulation in cybersecurity which will come into effect March 1. This new regulation will target banking and insurance sectors with the aim of better protecting institutions and consumers against the bad actors that target these firms.
This new cyber security regulation, believed to be the first of its kind adopted by a U.S. state, highlights need as well as the inability to quall the attack on businesses and government agencies regardless of the countless monies invested in information security being thrown at the bad guys.
New York State legislatures at the highest levels, including the governor’s office, feel that the emphasis here is needed. “New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” says New York Governor, Andrew M. Cuomo.
The regulation includes requirements that financial and insurance institutions retain a CISO, report cybersecurity incidents within 72 hours and use multifactor authentication.
There was a much larger part planned for this new regulation, but after receiving input from the private industry, the state eased off some of its proposals, such as a sweeping definition of what constitutes non-public information and specific requirements for technology vendors (see Critics Blast New York’s Proposed Cybersecurity Regulation).
The regulation will be challenging for many organizations to implement. It’s one of the most comprehensive cybersecurity regulations in the financial sector. Businesses don’t have the in-house expertise on staff, or the budget to hire. This will help to fuel the growing trend for firms to partner with and outsource to managed security providers, so businesses can have them act as an extension of their staff to ensure proper regulation exists.
What Does This Mean?
Interesting to note, that many of the requirements in the new regulation are steps that larger financial institutions have likely already taken.
For example, organizations must develop a cybersecurity program, including a written policy that addresses aspects such as access controls, business continuity, asset inventory and data governance. The CISO must send a report at least annually to the organization’s board of directors.
The cybersecurity program must include a periodic risk assessment plus annual penetration tests. Encryption must be used for data in transit and at rest, the new regulation states.
Organizations also must develop a written incident response plan.
By February 15 every year, organizations must submit a statement to New York’s Superintendent of Financial Services that certifies compliance.
Regulation Raises Concerns
The American Banker’s Association says that while the regulation takes a risk-based approach, which it supported, it will add a significant burden to banks. The group is also concerned that institutions haven’t been given enough time to make changes.
“In addition, the rules could come in conflict with existing federal regulations, and may not provide enough flexibility to address the constantly evolving nature of cyber threats,” according to a blog post in the ABA’s Banking Journal.
In October, federal banking regulators proposed new cybersecurity standards for the nation’s largest banks to ensure they are adequately addressing risk management, business continuity and incident response. It could be a year or more, however, before a final version of the proposed standards is published. The Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency – the three Federal Financial Institution Examination Council agencies that published the proposal for new standards – on January 17 closed the comment period. Comments will now be reviewed by all five FFIEC agencies before new mandates are finalized and published (see Cyber Mandates for Big Banks Would Build on Earlier Guidance).
Industry experts are cautious and will cite that no one wants the goal to be compliance for compliance’s sake. The more alignment there is and consistency among regulatory frameworks, the better and more effective it will be. Many companies cannot devote their resources to just trying to be compliant. They need to have in place the latest in security best practices to make an organization more secure. If the expertise is not in house, businesses will need to align with managed service providers who have the necessary expertise and infrastructure to help them.
“It’s a two edged sword at this point, if they do nothing those that don’t want security won’t improve, but if they force more state regulation onto firms already doing security it could take their attention from the real threats.”
Matthew Pascucci, an IT Security Consultant based in New York, sums up the regulations nicely, “There’s always a need for oversight, especially within cybersecurity, but the issue of guiding all organizations under one framework can sometimes be burdensome. The regulation the DFS put forward is one that attempts to push the entire industry to meet the basic standards, which I applaud, but in doing so could slow others down that were already performing this level of security. It’s a two edged sword at this point, if they do nothing those that don’t want security won’t improve, but if they force more state regulation onto firms already doing security it could take their attention from the real threats. It’s a hard decision to make, but I think in the long run it will improve the general security of the financial services industry as a whole.”
What Has to Be Done Beyond This Regulation
So what does this regulation really mean and what are the implications? First of all, anytime government intervenes in policy for the private sector, there is always cause for concern to if this will impose unrealistic burdens on businesses and misalign its original mission which on the surface, is a noble cause.
Over the last few years, the almost daily headlines of companies falling victim to cybersecurity breaches have raised the awareness needed by large and small firms alike to better protect themselves, with many firms having already begun their own information security best practices programs similar to what’s outlined and beyond this regulation.
This latest NY State regulation will by itself, not save companies from becoming the next headline and putting their consumers at risk. However, it is a start and maybe the kick that companies need in taking additional steps to protect their key assets and customer’s data. Especially small to medium sized businesses.
No matter what the latest technology is that is put on the front lines to protect against theses bad actors, the weakest link always has and always will be the carbon life form.
That is why managed security firms like CCSI, who specialize in assessing the operational risk of businesses while at the same time, providing solutions and the expertise needed to fill the security gap these companies have, will continue to flourish.
Small businesses especially are at an even bigger risk because many business owners don’t have the deep pockets for knowledgeable staff. Instead they read about how to address a problem and try to combat the obvious, but only find out later that they’re in a bigger hole to dig out from.
One recent example is of a small CPA firm that was recently hit with ransomware. The business owner acted quick enough to take the machine offline, replace it with a new machine, while copying the data back from the cloud. After restoring the data, a few days later the problem again surfaced. This business owner did not realize that backing up data also means that he was backing up the malware attached to that machine.
So, the need for education, along with following security best practices and periodic security assessments which can show which devices are most at risk, the probing of openings for malware penetration and the introduction of newer technologies like machine learning both on the network and at the endpoint, are the greatest examples of the benefits businesses derive by working with managed security service providers like CCSI.
CCSI security analysts have the expertise to recognize signs of real time compromise and take immediate action based on run book instructions to choke out the affliction and mitigate quickly while reducing the attack surface. This was a real world example of one of our clients in education who showed indications of compromise and was recognized early on by CCSI analysts who acted quickly and averted a wide scale ransomware attack.
So while the latest regulation by the New York State is noble in its cause in protecting businesses and the individuals privacy and information, it is up the businesses to be aligned with the intellectual expertise that is needed to provide the security best practices AND the real-time breach detection expertise to combat the bad guys and their quest for bigger more profitable targets.
For additional information download this free whitepaper: How to Approach the New York State Department of Financial Services Cybersecurity Requirements
Larry Bianculli is managing director of enterprise and commercial sales at CCSI. He has 20 plus years experience in the IT Industry helping clients optimize their IT environment while aligning with business objectives. He has a vast experience in many verticals including Financial, Public Sector, Health Care, Service Provider and Commercial accounts. He has helped customers and lead teams with a balanced approach to strategy & planning, execution, and personal principles.