As of March 1st 2017, New York became the first state in the nation to define cybersecurity regulations for financial institutions. These regulations (find them here) applies to financial entities regulated by New York’s Department of Financial Services (DFS), including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers and bankers.
The good news is that the regulations are written in a very straightforward way. There aren’t any major surprises between this regulation compared to others impacting financial services verticals today (NIST, CSF, OCC, GLBA, FFIC) but there are some unique aspects such as mandating a CISO (or an employee performing that function) and secure data destruction.
In addition, the information that is to be protected encompasses more than customer data, it includes:
- Individual information connected with a financial product or service (largely tracking the Gramm-Leach-Bliley Act, an existing federal law);
- Confidential business information;
- Personal health information (largely tracking HIPAA’s Privacy Rule covering protected health information); and
- Any information that can be used to distinguish or trace an individual’s identity
There are also some important regulations related to regular testing of the cybersecurity environment. For example, Section 500.05 (Penetration Testing and Vulnerability Assessments) defines a requirement for penetration testing and vulnerability assessment, while Section 500.09 (Risk Assessment) calls for periodical risk assessment of the organization’s information systems.
Where New York State gets these wrong is in the frequency and approach for this specific requirement.
Calling for annual, periodic assessment is not enough. Point-in-time snapshots only provide evidence of how secure an organization is at that moment in time. While good in theory, it assumes that all the other cybersecurity factors stay static – users, applications, threats. It does not account for the rapidly changing and accelerating pace of the digital business, and the persistent nature of threat actors.
The goal for any organization should be to test their security defenses every single day so they can stay steps ahead of attackers and address any mistakes security teams may make. Remember that according to the 2016 Verizon Data Breach Report, miscellaneous errors such as misconfiguration of IT systems take the No. 1 spot for security incidents. In fact, the Gartner report on firewalls believes that “Through 2020, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.
As financial organizations consider the New York DFS cybersecurity assessment and testing requirements, remember that the ultimate intent is not just compliance but also security.
Effective validation and assessment efforts must address the following:
- Continuously challenge whether security defenses can stand up to a breach
- Consider all possible breach methods a hacker might use across the kill chain—from exploits, malware, brute force and more (instead of endless lists of vulnerabilities)
- Validate security controls against both insider threats and external attacks
- Track risks and cybersecurity posture over time
- Prioritize key issues to remediate for the blue team
Of course, the objective is do all of the above in a continuous manner without impacting users or the infrastructure.
I’d like to invite all New York financials to reach out to me for a deeper dive into how we can help with your cybersecurity regulations.
In the meantime, check out our animated video for a 1 minute overview on SafeBreach, and how we can address the requirements above, giving you the true hacker’s perspective of your risks.