Responding to growing threats from cyberattacks to financial institutions, New York state officially implemented new regulations mandating that banks and insurers adhere to certain cybersecurity standards. The rules take effect today.
The imposition of the nation's first state-mandated "Cybersecurity requirements for financial services companies" has elicited a range of responses. Many security experts, as well as business leaders who will be affected by the legislation, had praise for the rules. Others, however, are concerned that they lack teeth and don't provide the guidance that will prove effective in protecting consumers and enterprises from incursions.
Raz Rafaeli, CEO of Secret Double Octopus, told SC Media that this regulation, and the role that multifactor authentication has in it, seems to get it right.
"While we have historically seen slow adoption of two-factor authentication – mostly due to poor UX design – this regulation comes at a time when next-generation authentication platforms have the right combination of frictionless user experience and none of the security resiliency problems we saw in the past."
While Rafaeli said that nothing is a guarantee, he believed that implementing a sound program with multifactor technology as part of its core has never been more important, especially in light of the rise of breaches involving stolen or weak user passwords. "We are all going to watch this closely and hope that our initial excitement for the program is met with credible results."
Steven Grossman, VP of strategy and enablement at Bay Dynamics, pointed out that the NYS DFS cyber regulation requires compliance in stages over the course of the next 12 to 24 months. He viewed its risk assessment mandates to be a positive step.
"In its updated form, the regulation takes a risk-based approach to the application of its requirements, allowing covered entities flexibility based on their risk assessment," he told SC. "One key requirement is the appointment of a responsible executive (a.k.a., CISO) and the attestation by that executive, or another responsible member of the team, that the organization is in compliance with the regulation."
Tim Erlin, senior director of IT security and risk strategy for Tripwire, told SC Media that the new regulation has the same challenges that all cybersecurity regulations face: how to provide prescriptive requirements that are technology agnostic.
"The DFS regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment," Erlin told SC. "Requiring a risk assessment to which the security controls are ultimately aligned is a smart move. It forces organizations to go beyond just buying the obvious tools to actually understand the threats they face."
The DFS regulation requires many of the basic, foundational controls that most cybersecurity regulations touch on, Erlin pointed out. "Covered entities need to implement a cybersecurity program, create and maintain a cybersecurity policy, and designate a qualified CISO that reports to the board on their progress and risks."
Others experts took a step back to assess some aspects they believe are missing from the new rules.
Ed Adshead-Grant, general manager of payments at Bottomline Technologies, told SC Media that in its current form, the cybersecurity regulation is missing the mark, as it fails to address one key consideration: open banking.
"With the adoption of the PSD2 regulation in Europe, we're already seeing financial institutions across the pond implementing new technologies like open APIs, and it's clear that the trend will come to the U.S. as well," said Adshead-Grant. "The introduction of these technologies will give way to new security threats, requiring banks and insurers to implement real-time monitoring systems to identify and flag suspicious activity."
While the proposed regulation's requirement of multifactor authentication is a solid step toward heightening security, he added, that alone will not solve security problems if auditors are not watching how users – both internally and externally – are behaving in real-time.
Further, Erlin at Tripwire noted some lack of specifics. “The DFS regulation intentionally avoids requiring many specific controls, but does include the best practices of vulnerability assessments and audit trails," he said. "However, the regulation includes some surprisingly weak allowances for the timing of vulnerability assessments."
Erlin pointed to the fact that unless a covered entity's risk assessment recommends otherwise, the regulation allows covered entities to perform only annual penetration tests and bi-annual vulnerability assessments. "It's well accepted that infrequent vulnerability assessments aren't enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business.”
"From an underwriter's standpoint, the new New York cybersecurity regulations may be a double-edged sword," Bill Kelly, SVP, E&O Underwriting of Argo Group, told SC Media. "On one hand, you should have companies with better risk profiles if they fully comply with the new regulations. The new regulations incorporate industry best practices in many areas of cybersecurity and therefore, companies that take the time, make the effort and make the investment to comply will theoretically be less vulnerable to cybersecurity incidents and/or be able to respond and mitigate damage if there is an incident."
On the other hand, he said, more regulations can result in more fines, penalties and lawsuits for companies that fail to comply.
"The obvious challenge for underwriters is to discern which companies have done a good job preparing for and implementing the necessary steps required to comply with the new regulations," said Kelly. "Insureds and brokers should be willing and prepared to take the time to make sure their insurance carriers have an accurate understanding of their risk profile. If a company has put in the time, money and effort to comply with the new regulations, they should see that reflected in their cyber insurance program."
Grossman at Bay Dynamics also pointed to the mandate's requirement that if companies have not been doing so already, those in the scope of the regulation need to be getting their cyber risk assessments updated and plans in place to assure compliance in the required timeframes.
"CISOs in other states and regulated industries should also take note and get their house in order, in preparation for similar regulations that will certainly be coming their way," Grossman said.
