It’s official: the New York State Department of Financial Services’ (DFS) new cybersecurity regulation for financial institutions is in full effect and passed its first compliance deadline in August. These first-in-the-nation protections set minimum cybersecurity standards to which banks and financial institutions under the department’s purview are required to adhere. Under the new requirements, financial institutions must now:
- Maintain a board-approved cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems
- Appoint a Chief Information Security Officer (CISO)
- Conduct periodic risk assessments and annual penetration tests to identify vulnerabilities, and then implement all necessary controls
- Outline a detailed security incident response plan to notify regulators within 72 hours of a cybersecurity or data security incident
- Submit a certification from senior compliance officers that the company’s controls are adequate (the first of which is due on or before February 15, 2018)
In the absence of a comprehensive cybersecurity policy and accompanying regulation at the national level, New York is taking command with greater oversight to protect financial institutions from the seemingly endless onslaught of attacks and new threat vectors. New York regulators have put a stake in the ground that banks must protect their customers’ information, and smaller players in particular must get organized quickly and evaluate their security foundation if they hope to stay out of regulators’ crosshairs. In practice, the new regulation may not mean very much for the larger banks and financial institutions that have the resources and funds to comply. Indeed, the largest U.S. banks, such as Citigroup, JP Morgan Chase, and Wells Fargo, were already well prepared for this new regulation and likely had many of these measures in place as many of the requirements were already addressed by other regulations and standards. However, smaller banks with limited resources may face significant challenges to implement the appropriate controls required. What's more, getting into compliance is actually most important for these small organizations as they are the most vulnerable targets for breaches, since hackers understand they have limited resources in place, including budgets, technology and skilled security personnel.
As smaller financial organizations covered by the cybersecurity regulation move quickly to develop an effective approach to cybersecurity, there are ways they can ease the burden and avoid depleting their already constrained technical resources. Here are a few tips to help those tasked with securing smaller banks and financial institutions to address the requirements, organize quickly and secure their infrastructure to ensure compliance with the new standards:
Requirement: Maintain a board-approved cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems
Ensure that your cybersecurity program is comprehensive and executable. Readily available guidelines and recommendations like PCI-DSS, SANS Critical Cybersecurity Controls and OWASP Top 10 can logically serve as a foundation for your cybersecurity program—there is no need to reinvent the wheel yourself. Remember that just because something is written down, agreed upon, and board-approved does not mean you are more secure; it must also be executable, with a clear action plan in place.
Requirement: Appoint a CISO to help protect data and systems
Appointing a CISO and holding them personally responsible for execution of the board-approved cybersecurity program is always a good recommendation. The CISO must not only have an extensive understanding of the risks, threats and vulnerabilities an organization faces, but must also understand the tactics, techniques and procedures needed to truly strengthen an organization’s cyberdefenses. Appointing a CISO with the right skillset is critical, but it is not always easy to achieve. The hard part will be implementing the practices and procedures that the regulations demand, and the cultural shift that may be required for organizations to truly benefit from the requirements and improve their security estates. Appointing a CISO is the first step, not the last, and on its own, does not mean an organization is any more secure than it was before a CISO was in place.
Requirement: Conduct periodic risk assessments and annual penetration tests to identify vulnerabilities, and then implement all necessary controls
Periodic risk assessments and annual penetration tests should be performed by an independent third party to ensure no individual in the organization can skew the results, for example, making them look better than they actually are. Also, the recommendation here is to perform daily, weekly, and monthly penetration tests in-house, to ensure an organization does not introduce a new vulnerability through a recent application update or improvement. A strong update program must also be put into place to ensure the latest vendor patches are applied as soon as possible. These patches are normally fixing vendor-introduced vulnerabilities and must be applied quickly.
Requirement: Implement a security incident response plan and report occurrences to authorities within 72 hours
A security response plan is only as good as the organization’s attack detection capabilities. Many recent data breaches reported in the news demonstrate that hackers have remained in breached networks for months without being detected. Organizations must put controls in place to reduce the time from infection to detection, reducing it to minutes or seconds rather than weeks or months. The longer hackers are in a system, the more damage they can cause. Under the new regulations, financial institutions must have a written incident response plan that ensures the firm mitigates the effects of a cybersecurity event and reports any incident to the federal authorities within 72 hours of detection.
Requirement: Senior compliance official/board must certify adequate controls
The certification process is critical to ensure an organization can prove the concepts of due diligence and due care were being followed and met. Without this certification process, organizations and senior executives can be held liable for such failures. Since these concepts can be somewhat subjective, going above and beyond will help organizations in the event of any litigation stemming from the impacts of a data breach. The recommendation here is to keep copious records of the adequate controls and the ongoing actions taken to ensure compliance and security.