PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Executive Spotlight With Nick Deshpande, VP Product Development at Zenedge

Nick Deshpande by Nick Deshpande
October 10, 2017
in Executive Spotlight
0
Zenedge logo
3
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
The compliance deadline for the new cybersecurity regulation for New York financial institutions passed last month. What are your initial thoughts on its potential impact?

The regulation – referred to as 23NYCRR500‎ – was passed into law in March and had an initial compliance date of 28 August. The regime subjects covered entities to requirements designed to ensure a mature security estate: it codifies some best practices to which many FIs are likely already adhering, owing to the industry or other regimes. While it doesn’t require the implementation of specific security controls, NY FIs will need make sure that their reporting protocols and internal processes are aligned with the new law to ensure compliance. Smaller FIs may have a wider gap to close in terms of meeting some of the more stringent requirements.

What do you think are the most significant requirements of the regulation? What will be the hardest to achieve and what are the most important areas the financial institutions should focus on?

Meeting the requirements on paper, as an administrative exercise, appears to be pretty straightforward. It’s a simple endeavour, for example, to appoint a CISO (perhaps as a secondary responsibility). The hard part will be implementing the practices and procedures that the requirements demand, and the cultural shift that may be required for organizations to truly benefit from the requirements to improve their security estates.

Take application security for example: A SDLC is easy to articulate but putting it into practice can require drastic technical, procedural, and personnel changes. Developers need to be trained; new quality assurance steps ensure that code now meets security requirements, in addition to functional ones; and, static assessments need to be performed, with shortcomings remediated.

A risk assessment is useful, but what a FI chooses to do with the results matters more. FIs will need to truly understand the crown jewels that underpin their core business, which teams and suppliers maintain them, and ensure that the most effective security controls are in place to secure them. This is an ongoing process that means continuous improvement.

Lastly, some of the retention requirements may need to be reconciled with other frameworks to best determine how long to hold on to certain kinds of data.

Can you expand a bit on how this regulation will affect NY financial institutions of different scale and purpose?

Larger NY FIs (assets of $10M+) are likely to have most of the components and procedures in place to comply with 23NYCRR500‎: they have CISOs, incident response plans, security policies, and good auditing in place. For some, it will mean reprioritizing current security initiatives and reporting protocols. The regulation will have a broader impact as well. FIs should rally their security providers to ensure that activities are happening at the right intervals, such as vulnerability scans.

Do you have any tips on how smaller financial institutions with limited resources can better organize their security approach to meet the compliance deadlines without disrupting their core services areas?

There are limited exemptions for smaller institutions so each FI will need to conduct an initial assessment and gap analysis, perhaps with the assistance of a third party, to determine how best to proceed. That shouldn’t mean that exemption from 23NYCRR500 should preclude smaller organizations from complying, especially with future growth in mind. For smaller institutions that are covered entities under the new law, there are some valuable shared services models that might be worth considering. Suppliers to which in-scope activities are outsourced should be petitioned for their plan to comply with 23NYCRR500.

What was the catalyst for this type of oversight in the financial services industry? Do you expect to see similar regulation come through on either the state or national level?

The security landscape is highly complex and threat actors are increasingly sophisticated in terms of their access to tools and techniques that were previously thought to be available to states. We know from the Verizon DBIR that Financial Services led in the raw number of breaches and ranked high in the number of incidents. The 2016 SEC breach disclosed this year drives home the varying motives behind cyberattacks within the industry. FIs face a variety of threats: Distributed Denial of Service attacks rank very high, credential stuffing (attempting to compromise account information on banking applications), clients using computers infected with trojans – the list is a long one. 23NYCRR500 is designed to compel FIs to have greater understanding and control over their attack surface.

We’ve noted increasing regulation in the area of cybersecurity, especially as it relates to protecting and managing personally identifiable information (PII). For some industries, especially financial services, this trend has resulted in overlapping compliance regimes, meaning there are shared requirements across various frameworks that may exist at different levels of government. If companies maintain an integrated risk and compliance program, it will be easier to meet disparate regimes with the same controls and (in some cases) third party audits.

In conclusion, can you share with our readers how Zenedge can help address this new regulation and help ease the burden for compliance for NY financial institutions?

Zenedge enables its clients to gain insight and control over the traffic reaching their web properties and networks. We leverage automation to stop DDoS attacks targeting network components and web applications. The Zenedge security suite is deployed as a security control that sits between a client’s web applications and services and the internet. The fully managed solution uses machine learning to look for anomalies in traffic as a means to complement signature-based detection. Zenedge delivers network availability and integrity with our volumetric DDoS mitigation service powered by RapidBGP(TM) which leverages scrubbing capacity situated globally to protect FIs from one of the most prevalent threats, without human intervention. Following a mitigation event, clients have access to rich reporting to gain insight into where an attack originated and what was targeted.

In terms of 23NYCRR500‎, it’s important to keep in mind that no one vendor will enable compliance across the full range of requirements. Rather, FIs would be well served to ensure that their security providers integrate seamlessly with their incident response plans, mitigate the risks identified during the assessment phase, and fit into the cybersecurity policy by delivering a tangible control. The Zenedge suite is well positioned to do exactly these things. We also conduct security scans of web properties as an initial step to ensure our solution takes into account any vulnerabilities or misconfigurations while those are addressed. Security and compliance is a continuous process and needs to be treated as such.

Tags: Compliance and RegulationSecurityZenedge
3
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Google Wallet Expands Features

    Google Wallet Continues to Bet on Digital with Expanded Features

    June 2, 2023
    digital value

    How Embracing Digital Value Can Help Solve the B2C Payments Conundrum

    June 1, 2023
    instant payments, real-time payments, RTP

    Banks Developing Instant Payments Products in the U.S. Should Focus on Billers to Generate New Revenue Streams  

    May 31, 2023
    Digital Wallet Use Delivers on Convenience and Security

    Digital Wallet Use Delivers on Convenience and Security

    May 30, 2023
    5 Ways to Protect Your Financial Institution from a Cyberattack

    5 Ways to Protect Your Financial Institution from a Cyberattack

    May 26, 2023
    traditional banks

    How Traditional Banks Can Modernize Without Risk

    May 25, 2023
    identity fraud

    Javelin’s Identity Fraud Study Highlights the Changing Nature of Fraud

    May 24, 2023
    SASE, security-as-a-service

    Security-as-a-Service Secures
    Distributed IT Models

    May 23, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download this complimentary report from CSG Forte: