With a federal agency effort to impose strict new cybersecurity regulations on systemic financial institutions apparently on hold, New York authorities are calling on other states to adopt tougher security policies similar to what they put in place earlier this year.
Maria Vullo, superintendent of the New York State Department of Financial Services, called the state’s new cybersecurity regulation “a road map with rules of the road.” Addressing a group of state insurance commissioners, Vullo said the best way for the industry to focus on the threats against cybersecurity “is to have a consistent framework.”
New York’s cyber rules, the first in the nation, went into effect on March 1. Under these laws, each bank and insurance company based in the state must have regulatory compliance by implementing a formal cybersecurity policy to protect data networks and customer information from a cyber attack.
The adoption of the cybersecurity regulations followed massive data breaches at Target, Home Depot and health insurance company Anthem.
Conducting Periodic Cybersafety Appraisal
The new law requires firms to conduct periodic risk assessments and document how risks will be addressed as part of the regulatory compliance. It requires a 72-hour notice of a cybersecurity event becoming known and mandates that financial institutions monitor third-party vendors to ensure that their cybersecurity plans also pass muster. It also requires firms to use multifactor authorization whenever feasible to guard against cyber break-ins.
The New York law was modified after a series of complaints from the financial services industry, notes the National Law Review. Specifically, their risk assessment will be based solely on their own institution, and they have an 18-month transition period to adopt the required measures. Firms will have two years to implement the monitoring of third-party suppliers, who have been blamed for more than half of the cybersecurity breaches in the country.
Last fall, three federal agencies that oversee banks — the Federal Reserve Board, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation — proposed more stringent cybersecurity requirements that would affect all institutions with more than $50 billion in assets, including foreign banks that work in the U.S. The agencies were concerned that an attack on one financial institution might soon spread to others. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the agencies said in a statement.
But there was sharp criticism from the financial services industry about the costs of implementing regulatory compliance, which would require boards of directors to monitor the implementation of the cybersecurity rules and require firms to have in place the best commercially available systems, with a guaranteed ability to recover “sector critical systems” from an attack within two hours.
While generally applauded for requiring firms to conduct cyber-risk assessments, there was also criticism around how often the assessments have to be made in the cybersecurity regulation. “The problem lies with the cadence of cyber risk certification — the regulations only require that they’re checked once per year,” said Mike Baukes, co-CEO of UpGuard, a cyber resilience platform. Baukes said digital risks are now popping up at lightning speed and may not be discovered in annual reviews.
What Can CIOs Do Now?
With other states likely to follow in New York’s footsteps, here are some best practices for CIOs:
- Tie your cybersecurity strategy to your overall business priorities in case your organization shares data with another organization or decides to expand to countries where there are restrictions on customer data, says analyst firm KPMG.
- Figure out what data really matters to your company, isolate it and focus your spending and capability around protecting that information, since you can’t protect everything from a cyberthreat, explains Deloitte.
- Invest resources in monitoring as well as protection so that you know when you’re being hacked and can meet regulatory compliance.
- Prepare for a successful hack so you know the effectiveness of your security plan. It can be difficult to keep your cool in a panic situation.
- Check your insurance policies to make sure you’re covered for data loss-related damages.
- Make sure you haven’t left any vulnerabilities by guarding only the corporate cloud, and invest in the latest mobile security systems such as Samsung Knox, which protects your infrastructure with multilevel, hardware-to-application security.
While this cybersecurity regulation was implemented in New York state, it’s something for every CIO across the U.S. to consider as financial cybercrime becomes more widespread in an increasingly digital world.
Due to security concerns, customer confidence in FinTech remains low despite growing usage. Here’s what firms can do to ensure a positive user experience when using non-traditional financial services.