State-mandated regulations are intended to set up protections for financial institutions and consumers.
State-mandated regulations are intended to set up protections for financial institutions and consumers.

The nation's first state-mandated cybersecurity regulations regarding banking and financial services companies are scheduled to go into effect in New York state on March 1.

The rules are intended to set up protections for financial institutions as well as consumers.

"This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible," Governor Andrew Cuomo stated in September when proposing the "first-in-the-nation cybersecurity regulation."

The rules as released by the governor along with New York's Department of Financial Service, were originally proposed in September 2016 and, following a 45-day comment period, a final version was issued on February 20, 2017. 

The regulation adapts industry best practices – such as guidelines issued by the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) – and contains 23 sections calling for such things as encryption of data of all non-public information, appointing a CISO, employee training in security, enhanced multifactor authentication and the yearly submission by a senior officer of a certification affirming that the company is in compliance with the regulation's requirements.

"New York has taken a leadership role in the effort to hold these organizations accountable for intrusions due to poor cybersecurity defenses through improved procedures and remediation," Michael Patterson, CEO of Plixer International, told SC Media on Wednesday. "Forcing businesses to take basic cybersecurity precautions is a great first step toward securing not only the businesses themselves, but also consumers."

Taking a hard look at third-party vendors is also good practice, he added, as 63 percent of all data breaches can be attributed to a third-party vendor, according to a Soha Systems Security survey. "Everyone from LinkedIn to the Hard Rock Hotel and Casino have all been hacked exposing their clients' data, thanks to a third-party vendor. The measures taken by organizations to protect corporate assets from electronic theft have to consider many avenues of access." 

Key elements of New York state's cybersecurity regulation: 

1. Establishment of a cybersecurity program
2. Adoption of a written cybersecurity policy
3. Mandatory chief information security officer
4. Cybersecurity training for employees
5. Third-party service providers risk
6. Incident monitoring and reporting
7. Information security audits

– Source: UpGuard

For example, he pointed to laptops, tablets and mobile phones that are hand carried into organizations everyday – right past the firewall. "If these devices become infected off premises, it now becomes the corporate security teams' responsibility to defend against it. Remote employees coming in via VPN connections must also be monitored.  There is the additional issue of customers who need temporary access as well as contractors who need admittance to the internet and possibly internal resources as well.”

However, added Patterson, despite the most stringent of defenses and practices, malware will still infiltrate networks and devices to steal data, corporate assets and money. "This is why security systems that allow investigators to sleuth out the entire story behind the breach is absolutely necessary. Rules, regulations and best practices and remediation provide the foundation for companies to protect their customers as well as themselves.”

Under the new regulations, banks are now required to scrutinize their suppliers, and to report on breaches that affect them, Balázs Scheidler, CTO and co-founder of Balabit, told SC Media on Wednesday. "Since many of these suppliers might also have access to internal banking systems, those with remote access might be the leverage that an attacker would use to cross the perimeter, move laterally and take what they're after, as happened with the Target breach."

Requiring that breaches are reported is a good first step forward in improving detection of breaches, said Scheidler. But, he asked, is it enough? "It's a manual process that occurs after-the-fact of an attack. A more proactive approach would be to require close monitoring and analysis of suppliers' activities in real time with automated tools. This would shorten breach and threat discovery, enabling institutions to avert or minimize breach impacts."

"For obvious reasons, the state of New York has a vested interest in the health of a financial industry critical to the state's economic engine," Jeff Hill, director of product management at Prevalent, told SC Media. And, he added, as these new rules are testament to more and more, regulators, state agencies, investors and other stakeholders are connecting the dots between financial health and cybersecurity. 

"The economic wake of a substantial data breach can stretch for years, impacting not only tangible bottom line results, but also inflicting reputational damage that can linger indefinitely," Hill told SC. "New York state's new rules are particularly forward-looking in that they emphasize the importance of understanding and managing third-party risk, the source of more than half of all breaches, according to a number of studies." 

Addressing what is often the soft underbelly of many enterprises' cybersecurity defenses – third parties/vendors – the state of New York is forcing a critical element of its economic infrastructure to cover all its bases, Hill said.

John Gunn, chief marketing officer at VASCO Data Security, added that the state's new cybersecurity rules are an important step forward in acknowledging the important role of biometric and risk-based authentication in stopping hacking attacks against online and mobile banking. "Billions of dollars are being lost to fraud every year and modern methods of authentication that eliminate the outdated use of passwords and instead rely on the new and transparent technologies are far more effective."