Banks and insurance companies in New York will soon be required to adhere to new cybersecurity guidelines, including appointing CISOs.
In a statement, Gov. Andrew Cuomo called the proposed new regulations a "first-in-the-nation" initiative to bolster cybersecurity policies at financial institutions licensed in the state.
Cuomo's long-awaited guidance for institutions overseen by the New York State Department of Financial Services (NYDFS) will first face a 45-day notice and a request for public comment before adoption procedures commence.
The proposed rules are intended to guard consumer data and financial systems from terrorist organizations and other criminal enterprises. They mandate that regulated financial institutions adhere to five principal requirements:
- Establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs core cybersecurity functions.
- Adopt a written cybersecurity policy setting forth policies and procedures for the protection of their information systems and nonpublic information.
- Designate a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy.
- Design policies and procedures to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties.
- Protect the confidentiality, integrity and availability of information systems. Included under this designation are calls for annual penetration testing and vulnerability assessments, the implementation of an audit trail system, periodic reviews of access privilege, further cybersecurity training for employees and written incident response plans.
NYDFS regulates banks licensed to do business in the Empire State, including Goldman Sachs, Barclays and Deutsche Bank, as well as insurance companies conducting business in the state.
"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks and other criminal enterprises," said Cuomo. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible."
A number of cybersecurity experts we spoke with following the announcement held a range of views.
“It's always good to elevate cybersecurity issues from the technical realm to the business and board level,” Gidi Cohen, founder and CEO of Skybox Security, a security analytics firm, told SCMagazine.com on Wednesday. “Most of the largest financial institutions already have a CISO. These regulations will help ensure that those who currently do not have such an executive will soon have one. The regulations will also help raise the visibility and voice of the CISO at the board level.”
Cohen said he believed that it's good that the regulations recognize that minimum standards are just that – a minimum. "It's important that organizations see such regulations as a lowest common denominator from which they have to add elevated levels of protection. Organizations that are not banks should also review and take into consideration these regulations.”
Others agreed. "Contrary to the general view that regulations rarely add security value, there may actually be some meaningful requirements in the new regulations," Leo Taddeo, CSO at Cryptzone and a member of the Citizens Crime Commission of New York City, told SCMagazine.com on Wednesday in an email.
A former Special Agent in Charge of the FBI's New York cybercrime office, where he oversaw the J.P. Morgan case, Taddeo pointed to the requirement for "risk-based authentication" for users accessing the network. "This security measure is being widely adopted by government and private enterprises in the form of software defined perimeter (SDP) architectures," he said. "By taking a risk-based approach, networks dynamically check a users' context at the initial connection and at frequent intervals during the session. When a change in the user's context is detected, the connection can be terminated or reduced to continuously protect sensitive resources."
Taddeo added that similarly, financial institutions are required to encrypt customer data that is either at rest or in motion. "This is may be a challenge to implement, but it would certainly reduce the number of successful hacks that result in data loss," he said.
Cohen at Skybox advocated for the use of tools as a way for executives to gain visibility into their cybersecurity attack surface. “They need tools to easily visualize indicators of exposure to attack," he said. "Such tools let them easily understand where they might have vulnerabilities and allow them to prioritize those vulnerabilities. An ounce of prevention is indeed worth a pound of cure.”
As far as what distinguishes these proposals from similar mandates, Cohen said the proposed regulations are a continuation of the trend to have mandates with teeth, such as the European Union GDPR. “We're seeing more and more specific recommendations with penalties that have a consequence to the organization and even to individuals within the organization.”
However, some experts pointed to shortcomings in the proposed requirements, or in enterprise's lack of preparedness.
"While we applaud the positive elements of the proposal, we believe it was a mistake to abandon the requirement for multifactor authentication for consumer banking that [New York state's first Superintendent of Financial Services] Benjamin Lawsky had previously called for," John Gunn, VP of communications at VASCO Data Security, told SCMagazine.com on Wednesday in an emailed statement. "Multifactor authentication has become almost transparent for banking customers with the integration of smartphones, and it is miles ahead of 30-year-old username and password methods."
Many leading banks already use multifactor authentication to secure their customers' accounts, he explained adding that this protection should be universal.
“It is at this point almost inconceivable that any major financial institution either would not have already implemented such cyberdefense solutions and practices, or would resist doing so," Bert Rankin, CMO at Lastline, told SCMagazine.com on Wednesday in an emailed statement. "One of the most crucial, largely unaddressed issues is what types of cyberdefense strategies the regulations might ultimately require."
Rankin pointed out that malware behaviors and attack strategies mutate and evolve so quickly that measures focused on any one or two specific defense strategies would be antiquated in months, if not in weeks. “The ability to detect highly evasive malware is at the heart of cybersecurity," Rankin said. "It should be part of the core of effective regulation, and should actually be a lynchpin in every organization's cyberdefense and incident response.”
“While providing a baseline for cybersecurity to financial institutions operating in New York state is a positive development, it is unclear what it adds to the already established frameworks and standards from an operational perspective," Steven Grossman, vice president of strategies and enablement at Bay Dynamics, told SCMagazine.com in emailed comments on Wednesday.
"Although companies already adhering to best practices and established frameworks, like NIST and the FFIEC Cyber Security Assessment Tool, should not experience much additional operational burden from the NYDFS regulation, it does add another set of reports for another regulator," Grossman said.
"When it comes to continuously complying with industry requirements, metrics and reporting, automation is critical so that security resources can focus on the business of minimizing risk versus the distraction of report generation," Grossman added. "Holding board leaders responsible for certifying their cybersecurity programs points to the need for closing the communication and knowledge gap that often leaves boards of directors in the dark about the real state of cyberrisk affairs on the ground.”