New York State’s new Cybersecurity Requirements for Financial Services Companies (FFIEC) take effect on March 1, 2017 and the requirements are not for the faint of heart. They detail what organizations must do to stay as protected as possible. Before we get into the nitty gritty, experts point out the key threats to organizations are quite often existing vulnerabilities and legacy software. They can be a source of intrusion, attacks and even worse, exfiltration of data.
The challenge for many banking and financial organizations is they are extremely dependant on technology - quite often the latest technology. HFT for example. This can present a problem from a security standpoint as vulnerabilities of state-of-the-art solutions have yet to be worked out. The difference between leading and bleeding edge. Organizations need to be able to run their busiensses with the technology needed to stay competitive while staying safe at the same time.
For more on the ramnifications of these requirements, the following industry thought leaders have this to say:
Willy Leichter, VP of Marketing, CipherCloud:
"A state the size of New York can effectively create nationwide requirements. A similar trend started 15 years ago when California passed S.B. 1386, creating the first legal requirements for public notification of personal data breaches. This public scrutiny of data breaches has had an enormous impact on how organizations approach security, and to led to 47 US states (and many other countries) enacting similar data privacy laws."
Christian Lees, CTO and CSO, InfoArmor:
"This is an example of progressive regulation coming into effect much like the Gramm-Leach-Biley act. There is a good chance that New York’s proposed rules could become the new industry standard, not only within the financial sector but across all industries requiring more advanced cyber abilities and third party management."
Robert Capps, VP of Business Development, NuData Security:
Any regulatory attempt that takes cybersecurity seriously must be seriously considered. Cyber threats to financial institutions are growing steadily, and the attackers are becoming more sophisticated. Customers have a legitimate expectation of protection. Banks have an obligation to fulfill their safety and security promise. With the sheer volume, complexity, and scope of the problem, there is a perception that the dam has broken. While a seemingly strong stand may get votes, it might not necessarily solve the issue, especially when other approaches could be more effective.
In the wake of several high-profile data breaches at major financial institutions, New York State, and Governor Cuomo have determined that financial institutions must be regulated to ensure they live up to expected standards for combating cyber threats and that such systems are sufficiently architected to prevent cyber-attacks to the fullest extent possible. New York proposes that the Board of Directors of a New York licensed financial institution would have to file annual certifications with New York State Department of Financial Services (NYDFS), stating, to the best of their knowledge, that companies' cyber programs comply with the regulations set forth.
An institution’s Chief Information Security Officer (CISO) would have to present yearly reports to the Board of Directors that assess the confidentiality, integrity, and availability of information systems. In the draft regulations, the CISO would be required to provide a detailed account of any exceptions to cybersecurity policies and procedures, identify cyber risks, assess the effectiveness of the cybersecurity program, propose steps to remediate any inadequacies identified, and include a summary of all material cybersecurity events that affected the regulated institution during the period addressed by the report.
NY may be the first State to introduce such measures, but they most certainly will not be the last. A financial institution not wanting to draw the ire of regulators will want to get on board with improving their cybersecurity programs now, as they will take some time to implement.
However, New York’s reaction seems redundant to some existing federal laws and regulations. Most institutions already have a CISO to oversee the security function, and they are responsible for the creation, operation, and auditing of security programs. Their regulatory agency has responsibility for verifying that they are following that agency's best practices, and will be sanctioned if they do not do so.
Also of note, New York state does not have jurisdiction over any institution that is chartered at the Federal level. Therefore, Governor Cuomo’s ability to address issues with large bank breaches like JP Morgan or HSBC is questionable. The NY Department of Financial Services oversees a handful of local institutions, so the impact of such regulation may be limited.
With 1 in 16 Americans hit with some form of identity crime in 2016, it’s no wonder consumers are fed up and are demanding results from their lawmakers. Given the impacts on consumers, we’re encouraged to see lawmakers take balanced efforts toward combatting identity theft. Customer loyalty is the lifeblood of banking. Therefore, it will be doubly important to ensure that any solutions deployed to meet these standards can provide better experiences for customers and are as low friction as possible.
The realitity is security is only as strong as the weakest lionk and an attacker will typically choose the most vulnerable attack vector to launch an attack. In other words, companies are not only competing for profits and marketshare, they have to compete on cybersecurity - the least secure organization will be a far easier target than their peers.
For more we refer you to the following - excellent resources:
A new breed of hacktrepeneurs has awoken and they have little to fear and everything to gain by infecting as many companies as possible and extorting money from them. Apex Technology Services stands ready to protect your company regardless of whether it’s located in New York City; White Plains, New York; Connecticut; Australia; Europe; or anywhere else. Our full suite of cybersecurity and IT support services is at your disposal, enabling you to spend less time worrying about and more time growing your business.
To ensure your security, consider one of our most popular services — Auditing & Documentation — which pinpoints vulnerabilities in your infrastructure, process flow and internal security procedures.