Part 500 of the rules apply not only to companies based in New York but also to those organizations they work with worldwide.
Part 500 of the rules apply not only to companies based in New York but also to those organizations they work with worldwide.

The New York State Department of Financial Services (DFS) cybersecurity rules that went into effect August 28 might serve as welcomed guidelines for financial services in and out of New York, but they still fall short of ensuring that companies are protected from cybercrime.

Part 500 of the rules, which apply not only to companies based in New York and those organizations they work with worldwide, requires firms to report any cybersecurity incidents causing – or having the real potential to cause – material harm to the New York State Department of Financial Services (NYS DFS) within 72 hours. The new regulations also press the organizations to adhere to “minimum security practices,” which they have two years to implement. They must also hire a Chief Information Security Officer (CISO). 

“Bottom line, this cybersecurity guidance is not robust enough,” said Tom Kellermann, CEO of Strategic Cyber Ventures (SCV). “Financial institutions must get back to their roots of safety and soundness in order to preserve trust and confidence via proactive cybersecurity. The sector's greatest exposure lies in the vulnerability of the technical service providers which creates a systemic vulnerability for ‘island hopping'.”

Noting that the new face of cybercrime – which he said more closely resembles a home invasion rather than a burglary – has a direct impact on a company's reputation so repercussions often land in the chief marketing officer's plate.  “Major breaches over the past decade have forced consensus that compliance with security standards does not equate to cybersecurity,” Kellermann said.

That's a sentiment echoed by Frances Zelazny, vice president of BioCatch. “With 6 months behind us, we are still using archaic tactics to fight 21st century battles – and cybersecurity, is not just about checking regulation boxes. Part of the problem is that it is difficult to get inside the mind of the hacker; it is not known where the next threat will come from or who the attacker is,” said Zelazny. “We are in a cat-and-mouse situation and there is a danger in thinking that compliance with new cybersecurity policies, like New York's, will take care of the problem – which couldn't be farther from the truth.”

Kellermann stressed the importance of security awareness throughout the ranks of upper management, not just within the office of the CISO. “Security awareness within the C-suite is necessary to mitigate cyber-risk, and the responsibility to protect brands from cyber threats extend beyond CISOs,” he said.

CMOs, Kellermann added, must be prepared to defend both brand and company when a cyber event occurs. “Avoiding a network breach is a corporation's ultimate measure of success, though the supposition that an adversary is already on one's network is foundational for mitigating cybercrime,” he said.

With 6 months behind us, we are still using archaic tactics to fight 21st century battles – and cybersecurity, is not just about checking regulation boxes. Part of the problem is that it is difficult to get inside the mind of the hacker; it is not known where the next threat will come from or who the attacker is. We are in a cat-and-mouse situation and there is a danger in thinking that compliance with new cybersecurity policies, like New York's, will take care of the problem – which couldn't be farther from the truth.

While Bay Dynamics CEO and co-founder Feris Rifai maintained that employing a CISO may a “novel concept” and a challenge to some smaller companies, the NYS DFS cybersecurity requirements ensure that someone will be “on the hook for compliance,” which is “a major change from other regulation out there.”

In fact, that requirement is one of two that makes the regulation “unique,” the other being a “strong emphasis on risk management,” he said.

“For the risk management component, part of the regulation that became mandatory this month, states that companies must perform risk assessments and build their cyber risk programs based on the results of the assessment,” said Rifai. “This means that companies should not treat all of their assets equally. They should identify what's most important and apply the most rigor protecting those assets. Assets that, if compromised, cause the most significant impact to the company, should be protected first, using the strongest controls.”

Zelazny called on companies “to practice ‘good cyber-hygiene,'” including “updating security systems and providing detailed and informative best practices for employees to be aware of suspicious emails.”

The keepers of policy and compliance “should think more carefully and strategically about how easy it would be to have an employee tricked into providing their credentials to a fraudster,” said Zelazny, who suggests employing those technologies that “make sure people are who they claim they are” and focus on behavior as well.

“They may not be spelled out in the regulations but addressing these issues will provide real security that is so sorely needed in New York and beyond,” said Zelazny.