There’s a good reason for the proliferation of mandates like the one in New York state, but companies may struggle to answer this question: “Are we in compliance?”
Financial organizations are no strangers to regulation, but when it comes to cybersecurity, new mandates keep cropping up, and for good reason. According to a study from Accenture and the Ponemon Institute, the global financial services sector has experienced a 40% increase in the cost of cyberattacks during the past three years. Cyber heists against a string of banks (such as $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank) and high-profile data breaches of well-known global financial organizations have demonstrated that financial companies are top targets for cybercriminals.
With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. One of the most recent mandates is the New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation. While the mandate first took effect March 1, 2017, important deadlines arrived on February 15 and March 1, 2018, including the requirement for a senior officer to certify that their organization is in compliance with the initial set of mandates. It’s the first cyber regulation of its kind requiring that a specific individual attest to compliance.
The NYS DFS Cybersecurity Regulation is meant to help financial organizations establish a risk-based security program. Most provisions include the phrase “based upon the covered entity’s risk assessment…” Requirements include hiring a chief information security officer (CISO), implementing multifactor authentication, performing continuous monitoring or annual penetration testing, providing notification within 72 hours of a breach occurring, monitoring for anomalous behavior, and more.
The regulation is mandatory for large global financial organizations that have operations in New York state and smaller organizations that have as few as 10 employees, with a $5 million gross revenue and $10+ million in total assets. As of March 1, covered financial institutions are on the hook for all but the few of the regulation’s mandates that do not take effect until September 2018 or March 2019.
As they work to meet the NYS DFS compliance mandates, many of those same financial organizations are also working to comply with the upcoming EU General Data Protection Regulation (GDPR), which takes effect May 25 and affects any company that collects data on EU citizens, as well as the SWIFT Customer Security Controls Framework, which took effect January 2018 and requires banks that use the SWIFT global messaging platform to implement controls on SWIFT-connected infrastructure, such as multifactor authentication, continuous monitoring, and anomalous behavior detection. Each mandate comes with its own set of penalties including hefty fines (noncompliance with the GDPR could lead to a fine of up to 4% of global annual turnover).
The layering of mandates along with increasing penalties sends a message to financial organizations: dedicate budget, time, and resources to protecting your most-valued assets. The good news is that the message has resonated among many large financial organizations. Most global banks we have worked with already have established cybersecurity programs that fulfill many of the required mandates in part or whole. They have CISOs with policies, training programs, processes, tools, and technologies rolled out to handle access controls, authentication, data protection, vulnerability management, third-party risk management, and other important cyber requirements.
The greatest challenge for these banks is taming the cyber beast that results from their size and complexity. Most have a cacophony of tools, vendors, and processes, resulting in uneven protection and a lack of visibility into their assets and the cyber risks that may affect them. This is enough to give any board member or senior officer pause when certifying that their organization is in compliance with the NYS DFS mandate.
The good news is that most are moving quickly to improve. To manage their risk and comply with regulations like the NYS DFS Cybersecurity Regulation, most large financial services organizations are performing risk assessments as part of an overall risk-based approach and are deploying cyber-risk and user behavior analytics tools and processes to improve how they protect themselves from external and internal threats. The additional benefit is that these organizations will be able to sign their NYS DFS Cybersecurity Regulation certifications with a more complete knowledge and increased confidence.
Midsize and smaller financial organizations, however, may struggle to comply with the many mandates. They typically have less-mature security programs, lower budgets, and fewer resources. For those banks and any others working toward compliance, a good place to start is to assign an executive responsible for cybersecurity. Using their own experience or that of a third party, they will conduct a comprehensive risk assessment. A risk assessment will include identifying which assets matter most to the organization, those assets that if compromised would affect the organization the most, and a plan to bring the organization up to industry standards and in compliance with the NYS DFS mandate.
The actual covered entities themselves are not the only ones that need to pay attention. Increasingly, regulators are explicitly holding covered entities accountable, regardless of the fact that a third-party service provider may be responsible for a violation. That means that third-party service providers will need to provide the same level of compliance as the entities themselves, regardless of their own location or industry. For example, even those companies operating outside of New York state need to understand and comply with the regulations under which their NYS financial clients are obligated, and those operating outside the EU need to comply with GDPR.
Prioritizing the “crown jewels” of the organization is inherent to adopting a risk-based approach, which is the focus of the NYS DFS mandate. By focusing their programs on the areas of greatest risk, organizations will make the most of their limited resources while protecting the assets that are the most important for the company to be successful.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.
Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and … View Full Bio