A new set of regulations, which went into effect on March 1, 2017, are ramping up data security requirements in New York’s banking industry.
[The regulations can be viewed here.]
The regulations are the first of their kind in the sense that no other state has mandated minimum cybersecurity standards.
Banks have 180 days to get up to speed with the new rules, which require financial institutions to appoint a Chief Information Security Officer, implement cybersecurity programs and periodically asses those programs. On Lexology, attorneys from Fish & Richardson explain:
The final regulations are sweeping and granular at the same time. One major requirement is that entities conduct a periodic risk assessment to inform management as to the particular cyber and data risks of the organization, including how they evolve over time. The regulations contemplate that this risk assessment will “inform the design of the cybersecurity program.” 23 NYCRR 500.09(a).
Based on the risk assessment, entities are required to implement a cybersecurity program and create a written set of cybersecurity policies designed to protect the entity’s information systems and its data from cyberthreats, and to detect, respond, and recover from cyberattacks. 23 NYCRR 500.02, 500.03. The cybersecurity program is required to cover policies and procedures for:
• multi-factor authentication;
• data retention limitations;
• training and monitoring of personnel;
• encryption (or alternative controls) of nonpublic information in transit and at rest; and
• an incident response plan.
The rest of the country — legislatures on both the state and federal level — are watching how this plays out with keen interest.
Of course, the rules have garnered numerous comments and concerns. Chief among concerns is that cybersecurity is such a quick-evolving discipline; will regulations be able to keep up?
Mike Baukes, writing at ReCode, thinks not:
Unfortunately, the rules are already being outpaced by the reality of business in the internet age. The regulations outline solid traditional security practices, such as limiting the distribution of personally identifiable information or requiring multifactor authentication, in addition to stipulating that organizations must test their cyber security systems in order to comply.
While good in theory, the problem lies with the cadence of cyber risk certification — the regulations only require that they’re checked once per year, which is far from what’s needed. It’s akin to checking the weather forecast once a year and hoping it holds relevance for the other 364 days.
Calling for “yearly” or “quarterly” tests fails to account for the speed at which digital systems — and their associated risks — change. In our line of work, traditional time windows in business cannot account for the rapid and accelerating pace of modern technology.
The premise of this routine compliance certification is well-intentioned, but by its very nature, it implies that systems should and will remain static for the given certification period. If your entire business were static for 12, six or even three months at a time, it would quickly cease to be a business. Top-performing companies excel in constant change and constant improvement, not in maintaining static systems.
One industry pro noted that the regulations don’t address open banking, a growing trend in the financial industry in Europe which could soon come to the U.S.
Ed Adshead-Grant, general manager of payments at Bottomline Technologies, commented via InfoSecurity Magazine:
“In its current form, the cybersecurity regulation proposed by New York State for banks and insurers is missing the mark, as it fails to address one key consideration: open banking. With the adoption of the PSD2 regulation in Europe, we’re already seeing financial institutions across the pond implementing new technologies like open APIs, and it’s clear that the trend will come to the US as well.
“The introduction of these technologies will give way to new security threats, requiring banks and insurers to implement real-time monitoring systems to identify and flag suspicious activity. While the proposed regulation’s requirement of multi-factor authentication is a solid step toward heightening security, that alone will not solve security problems if auditors are not watching how users – both internally and externally – are behaving in real-time.”
Photo by Neil Young via Flickr CC License