As of Aug. 28, 2017, New York's superintendent of financial services enforced "Cybersecurity Requirements for Financial Services Companies," a first in the nation regulation designed to thwart the prevalent menace posed by nation-states, terrorist cells, and independent hackers.
The regulation is designed to protect the Big Apple against the kind of cybercrime that has resulted in substantial financial losses across the country. For many New Yorkers, the regulation couldn't come soon enough.
In the past two years alone, the state has been affected by some devastating cyberattacks. First, The New York Times' Web site was hit by ransomware, then the computers at the Erie County Medical Center were hijacked — taking them down for no less than six weeks.
Under New York state law, 23 NYCRR Part 500 requires banks, insurance companies and other financial institutions to establish cybersecurity programs, put written policies into place, and report any incidents of cybersecurity to the Department of Financial Services (DFS).
All institutions are also required to have a chief information security officer to oversee information assets and ensure that the proper technologies are being implemented. Additionally, a 72-hour breach notification is mandatory as is an annual written statement to the superintendent confirming one's compliance, to be completed and submitted no later than Feb. 15, 2018.
Such reports must be submitted through DFS's online portal to verify the soundness of an institution's security protocol. The DFS has also taken measures to expedite the process by which brokers and agents can renew their licenses.
The regulation calls for a cybersecurity policy to be maintained to protect the confidentiality, integrity and availability of the covered entity. See: bank, insurance company or other financial institution's information systems.
The policy needs to be based on the "Covered Entity's Risk Assessment" and designed to perform 14 core functions. These core functions include all aspects of cybersecurity from asset inventory, device management, information security, and data governance — to disaster recovering planning, systems operations, network security, and environmental controls.
The policy is expected to cover customer data privacy, vendor and third party service provider management, incident response, and system and network monitoring. Limiting user access to information systems is also called for. Covered entities are obliged to periodically review access privileges as a precautionary measure.
The regulation sets a precedent that the rest of the nation should pay attention to. After all, New York State has a rich history when it comes to introducing paradigms safeguarding American businesses. In 1984, they became the first state to mandate seat belt laws and, in no time at all, the rest of the country followed suit.
Much of what the regulation calls for runs parallel to the federal Gramm-Leach-Bliley Act (GLBA) that already governed financial institutions. For instance, all covered entities are responsible for conducting of their cybersecurity program to, "include continuous monitoring or periodic penetration testing and vulnerability assessments."
Much like the GLBA, it is mandatory for entities to utilize multi-factor authentication or something commensurate to the same to protect against unauthorized access to non-public information.
Installation of a vendor risk management program is yet another of the regulation requirements, one that makes a lot of sense in the volatile third party environment that most institutions find themselves in.
The need for such regulation is great as Cisco Systems can attest. In a July, 2017 study, they found that 48 percent of financial service organizations polled lacked so much as a standardized information security policy. Perhaps even more disturbing were the statistics on internal investigation.
Their report discovered that a mere 55 percent of cyber alerts were investigated by these financial institutions and of the 28 percent of threats deemed to be legitimate, just 43 percent of them are remediated. It's clear from these figures that there is more than a little stagnation or ignorance at work within the financial services industry.
As with all things modern, it can be difficult for companies to acclimate to new trends, especially when those trends are hoisted upon them at will. Fortunately for those institutions that aren't exempt from the regulation, we're no longer living in the Dark Ages. It is easier now than ever to educate oneself and one's staff about information technologies as well as the security solutions associated with them.
In recent years, a slew of computer science experts have detailed the ways in which companies can use dedicated virtual private networks, intrusion detection systems and various proprietary solutions to ward off malicious software, data breaches, and internal theft.
They have also warned us about the myriad methods by which hackers can gain purchase to the sensitive data maintained by the financial service industry.
As the story of Mikko Hypponen, the chief research officer at the security company F-Secure, illustrates, it's easier than the average person would think. Hypponen managed to con his way into accessing a Nordic financial institution's mainframe by simply pretending that he was there to perform an audit.
Others, like Jamie Woodruff, the so-called "ethical hacker," develops some of the most obvious attacks to demonstrate security flaws. These attacks can be as elementary as intercepting people's cell phone data just by passing near them and using cheap technology available for purchases online.
The NSA has been doing their part to prevent these kinds of incidents as well, providing Wall Street banks with intelligence about foreign hackers who could potentially exploit holes in security, and disable trading systems and ATM machines. Global economic threats are considered imminent as cybercriminals create increasingly sophisticated means of attack.
In December of 2017, it was reported that over 100 industry experts from the U.S. financial sector had collaborated on a on of a kind cyber resilience initiative known as Sheltered Harbor. It archives all account data in a secure data vault preventing alteration or deletion.
Alternately, the Federal Deposit Insurance Corporation (FDIC) has published a comprehensive bank customer guide to cybersecurity that will enable the public to protect their banking information at home and abroad.
Representing an important step in the right direction, at this crucial time in American history and technology, is the New York law, 23 NYCRR 500.
That law demands that our financial establishment keep pace with the ever-evolving tech space.
Sam Bocetta is a defense contractor for the U.S. Navy, a defense analyst, and a freelance journalist. He specializes in finding radical — and often heretica l — solutions to "impossible" ballistics problems. Through Lakeview Capital, he also cultivates funding for projects — usually naval, defense, and UAV startups. He writes about naval engineering, mechanical engineering, electrical engineering, marine ops, program management, defense contracting, export control, international commerce, patents, InfoSec, cryptography, cyberwarfare, and cyberdefense. To read more of his reports — Click Here Now.
© 2022 Newsmax. All rights reserved.