Cyber security increasingly dominates global news, ranging from business data breaches to election hacks.
What has become clear is that on top of becoming a business-critical issue, the cyber threat is now high on regulatory bodies’ radar. Hence, upcoming regulation like GDPR, and the already in place US Privacy Shield.
As part of this new global awareness, major financial firms in New York City will be expected to rethink how they deal with cyber security.
The regulation will apply to to firms holding a banking, insurance or financial services licence to operate in New York.
The new rules address a broad range of cyber security issues, from the maintenance of written policies, governance and auditing, to detection, defence and response measures, testing requirements and incident reporting.
It was initially put forward by the New York State Department of Financial Services (DFS).
The regulation is effective as of today – March 1st 2017, although firms will have 180 days from now to change internal systems in order to meet new compliance and regulation standards.
The new rules are extensive. Those firms required to comply will be required to ‘maintain a cyber security program’ that can ‘protect the confidentiality, integrity and availability’ of the data within their systems.
This program must have detection, defence and response capabilities, including regulatory reporting obligations, as well as penetration testing.
The firms must design these cyber security programs based on individual risk assessments. They should be built ‘to reconstruct material financial transactions sufficient to support normal operations and obligations of the firm’.
Tim Erlin, director, security and IT risk strategist at Tripwire has said in response to this news that “The new NY DFS regulation has the same challenges that all cyber security regulations face: how to provide prescriptive requirements that are technology agnostic.”
“The DFS regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment. Requiring a risk assessment to which the security controls are ultimately aligned is a smart move. It forces organisations to go beyond just buying the obvious tools to actually understand the threats they face.”
The enforced regulation will also ask firms to keep a record of ‘cybersecurity events that have a reasonable likelihood of materially harming any material part of the[ir] normal operations’ and, similar to GDPR, report any incidents to the DFS ‘as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred’.
A cyber security event is defined by the regulation as ‘any act or attempt, successful or unsuccessful, to gain unauthorised access to, disrupt or misuse an information system or information stored on such information system’.
This regulation is very similar to the standards set forward in the EU GDPR, only much more localised. As part of the regulation firms must reshape or create cyber security policies surrounding information security, data governance, network monitoring, data privacy and incident response.
Indeed, Erlin suggested that “the DFS regulation requires many of the basic, foundational controls that most cyber security regulations touch on. Covered entities need to implement a cybersecurity program, create and maintain a cybersecurity policy, and designate a qualified CISO that reports to the board on their progress and risks”.
Like with GDPR, most firms will have to appoint a chief information security officer (CISO) to oversee the these policies and their continued practice.
The CISO, according to the regulation, can be employed by an affiliate or third party provider.
>See also: The Trojan horse: 2017 cyber security trends
DFS superintendent Maria Vullo said: “With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information. As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”
In a closing thought Erlin said that “the DFS regulation intentionally avoids requiring many specific controls, but does include the best practices of vulnerability assessments and audit trails. However, the regulation includes some surprisingly weak allowances for the timing of vulnerability assessments. Unless a covered entity’s risk assessment recommends otherwise, the regulation allows covered entities to perform only annual penetration tests and bi-annual vulnerability assessments. It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business.”