The compliance deadline for the new cybersecurity regulation for New York financial institutions passed last month. What are your initial thoughts on its potential impact?
The regulation – referred to as 23NYCRR500 – was passed into law in March and had an initial compliance date of 28 August. The regime subjects covered entities to requirements designed to ensure a mature security estate: it codifies some best practices to which many FIs are likely already adhering, owing to the industry or other regimes. While it doesn’t require the implementation of specific security controls, NY FIs will need make sure that their reporting protocols and internal processes are aligned with the new law to ensure compliance. Smaller FIs may have a wider gap to close in terms of meeting some of the more stringent requirements.
What do you think are the most significant requirements of the regulation? What will be the hardest to achieve and what are the most important areas the financial institutions should focus on?
Meeting the requirements on paper, as an administrative exercise, appears to be pretty straightforward. It’s a simple endeavour, for example, to appoint a CISO (perhaps as a secondary responsibility). The hard part will be implementing the practices and procedures that the requirements demand, and the cultural shift that may be required for organizations to truly benefit from the requirements to improve their security estates.
Take application security for example: A SDLC is easy to articulate but putting it into practice can require drastic technical, procedural, and personnel changes. Developers need to be trained; new quality assurance steps ensure that code now meets security requirements, in addition to functional ones; and, static assessments need to be performed, with shortcomings remediated.
A risk assessment is useful, but what a FI chooses to do with the results matters more. FIs will need to truly understand the crown jewels that underpin their core business, which teams and suppliers maintain them, and ensure that the most effective security controls are in place to secure them. This is an ongoing process that means continuous improvement.
Lastly, some of the retention requirements may need to be reconciled with other frameworks to best determine how long to hold on to certain kinds of data.
Can you expand a bit on how this regulation will affect NY financial institutions of different scale and purpose?
Larger NY FIs (assets of $10M+) are likely to have most of the components and procedures in place to comply with 23NYCRR500: they have CISOs, incident response plans, security policies, and good auditing in place. For some, it will mean reprioritizing current security initiatives and reporting protocols. The regulation will have a broader impact as well. FIs should rally their security providers to ensure that activities are happening at the right intervals, such as vulnerability scans.
Do you have any tips on how smaller financial institutions with limited resources can better organize their security approach to meet the compliance deadlines without disrupting their core services areas?
There are limited exemptions for smaller institutions so each FI will need to conduct an initial assessment and gap analysis, perhaps with the assistance of a third party, to determine how best to proceed. That shouldn’t mean that exemption from 23NYCRR500 should preclude smaller organizations from complying, especially with future growth in mind. For smaller institutions that are covered entities under the new law, there are some valuable shared services models that might be worth considering. Suppliers to which in-scope activities are outsourced should be petitioned for their plan to comply with 23NYCRR500.
What was the catalyst for this type of oversight in the financial services industry? Do you expect to see similar regulation come through on either the state or national level?
The security landscape is highly complex and threat actors are increasingly sophisticated in terms of their access to tools and techniques that were previously thought to be available to states. We know from the Verizon DBIR that Financial Services led in the raw number of breaches and ranked high in the number of incidents. The 2016 SEC breach disclosed this year drives home the varying motives behind cyberattacks within the industry. FIs face a variety of threats: Distributed Denial of Service attacks rank very high, credential stuffing (attempting to compromise account information on banking applications), clients using computers infected with trojans – the list is a long one. 23NYCRR500 is designed to compel FIs to have greater understanding and control over their attack surface.
We’ve noted increasing regulation in the area of cybersecurity, especially as it relates to protecting and managing personally identifiable information (PII). For some industries, especially financial services, this trend has resulted in overlapping compliance regimes, meaning there are shared requirements across various frameworks that may exist at different levels of government. If companies maintain an integrated risk and compliance program, it will be easier to meet disparate regimes with the same controls and (in some cases) third party audits.
In conclusion, can you share with our readers how Zenedge can help address this new regulation and help ease the burden for compliance for NY financial institutions?
Zenedge enables its clients to gain insight and control over the traffic reaching their web properties and networks. We leverage automation to stop DDoS attacks targeting network components and web applications. The Zenedge security suite is deployed as a security control that sits between a client’s web applications and services and the internet. The fully managed solution uses machine learning to look for anomalies in traffic as a means to complement signature-based detection. Zenedge delivers network availability and integrity with our volumetric DDoS mitigation service powered by RapidBGP(TM) which leverages scrubbing capacity situated globally to protect FIs from one of the most prevalent threats, without human intervention. Following a mitigation event, clients have access to rich reporting to gain insight into where an attack originated and what was targeted.
In terms of 23NYCRR500, it’s important to keep in mind that no one vendor will enable compliance across the full range of requirements. Rather, FIs would be well served to ensure that their security providers integrate seamlessly with their incident response plans, mitigate the risks identified during the assessment phase, and fit into the cybersecurity policy by delivering a tangible control. The Zenedge suite is well positioned to do exactly these things. We also conduct security scans of web properties as an initial step to ensure our solution takes into account any vulnerabilities or misconfigurations while those are addressed. Security and compliance is a continuous process and needs to be treated as such.