Beginning this year, financial and insurance companies in the state of New York will have to comply with some of the country’s most stringent and far-reaching cybersecurity regulations. Governor Andrew Cuomo announced in September the new rules, meant to protect consumers, companies, and our financial infrastructure from the growing threat of cyberattacks. Following several years of surveys, draft proposals, and engagement with industry, the new regulations are set to take effect on March 1, and following that covered entities have between 6 months and 2 years to come into compliance with the various provisions.
GRA Quantum has been driving the conversation on the importance of cybersecurity to the financial services industry for more than a year. In late 2015 we raised the topic of new regulations being considered by the New York Department of Financial Services (NYDFS) and the importance of limiting third-party access to financial firms’ networks. In July, we published a piece on the unique threat faced by hedge funds and their high-profile clients. Finally, in mid-2016 we published a white paper that looked at the impetus behind the new regulations and made predictions about what they might mean were they ever to come into force.
The regulations in their final form represent a revised version of the proposed rules we first wrote about in 2015, but are largely similar and include many of the cybersecurity best practices GRA Quantum encourages as part of our Enterprise Cybersecurity Strategy. The new requirements can be generally divided into the following categories, but also referenced in full here:
- Management: The new regulations require firms establish a cybersecurity program designed to protect information systems, as well as a cybersecurity policy that governs the security of such systems. The rules also prescribe that companies employ a Chief Information Security Officer to oversee the program and enforce the policy
- Personnel: In addition to the CISO, the rules require firms utilize qualified cybersecurity personnel (in-house or outsourced) to oversee and perform core functions, as well as stay abreast of new developments in the industry. For general employees, the new regulations also require the implementation of monitoring mechanisms to check for unauthorized use of information systems as well as periodic cybersecurity awareness training for employees
- Notification Requirements: The rules require entities to report to regulators within 72 hours any cyber incident that has a reasonable likelihood of harming normal operations. Fear of disclosure is meant to act as a market incentive to take security seriously
- Third-party Service Provider Policy: In response to surveys commissioned by the NYDFS that found third-party service providers and vendors reflect a gaping hole in many a bank’s network security, the regulations require entities to maintain policies to ensure the safety information systems that transit or are accessible by a third-party
- Risk Management: To minimize risk and encourage firms to proactively navigate the threat landscape, the rules require periodic penetration tests and vulnerability assessments as well as periodic risk assessments and limits on the period of time for which a company can retain non-public information no longer relevant for business operations. In the case of a breach, the regulations also require companies to adopt incident response plans
- Technical Requirements: The new regulations prescribe that firms implement certain practices and technologies to minimize risk and protect systems. Among these are systems that maintain audit trails designed to allow detection of and response to a security breach, multi-factor authentication mechanisms, encryption of certain data, limited access privileges, and procedures to ensure the security of in-house developed applications
The new regulations, though seemingly daunting, are largely in keeping with existing best practices and, when complied with correctly, can dramatically improve an organization’s security posture. While GRA Quantum has been a thought leader in cybersecurity since its inception, our technicians and consultants have been practitioners for even longer. Our elite team has a combined decades of experience combatting cyber criminals and defending networks against nation-states in the upper echelons of government, military, and the private sector. Many, if not all, of the regulations put forward by the NYDFS reflect the strategies and tactics that we counsel clients to implement, and we are uniquely suited to meet the technical compliance challenges now facing financial services firms.
In our 2016 white paper we predicted that New York state’s prominence in the financial world would make it a trendsetter with regards to cybersecurity regulations. The best way to get ahead of compliance challenges – to say nothing of real-life threats – is to be proactive in implementing good security practices and forge a new, higher cybersecurity standard for the rest of industry to emulate.