Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:30 AM
Steven Grossman
Steven Grossman
Connect Directly
E-Mail vvv

The Cybersecurity Mandates Keep On Coming

There's a good reason for the proliferation of mandates like the one in New York state, but companies may struggle to answer this question: "Are we in compliance?"

Financial organizations are no strangers to regulation, but when it comes to cybersecurity, new mandates keep cropping up, and for good reason. According to a study from Accenture and the Ponemon Institute, the global financial services sector has experienced a 40% increase in the cost of cyberattacks during the past three years. Cyber heists against a string of banks (such as $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank) and high-profile data breaches of well-known global financial organizations have demonstrated that financial companies are top targets for cybercriminals.

With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. One of the most recent mandates is the New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation. While the mandate first took effect March 1, 2017, important deadlines arrived on February 15 and March 1, 2018, including the requirement for a senior officer to certify that their organization is in compliance with the initial set of mandates. It's the first cyber regulation of its kind requiring that a specific individual attest to compliance.

The NYS DFS Cybersecurity Regulation is meant to help financial organizations establish a risk-based security program. Most provisions include the phrase "based upon the covered entity's risk assessment…" Requirements include hiring a chief information security officer (CISO), implementing multifactor authentication, performing continuous monitoring or annual penetration testing, providing notification within 72 hours of a breach occurring, monitoring for anomalous behavior, and more.

The regulation is mandatory for large global financial organizations that have operations in New York state and smaller organizations that have as few as 10 employees, with a $5 million gross revenue and $10+ million in total assets. As of March 1, covered financial institutions are on the hook for all but the few of the regulation's mandates that do not take effect until September 2018 or March 2019.

As they work to meet the NYS DFS compliance mandates, many of those same financial organizations are also working to comply with the upcoming EU General Data Protection Regulation (GDPR), which takes effect May 25 and affects any company that collects data on EU citizens, as well as the SWIFT Customer Security Controls Framework, which took effect January 2018 and requires banks that use the SWIFT global messaging platform to implement controls on SWIFT-connected infrastructure, such as multifactor authentication, continuous monitoring, and anomalous behavior detection. Each mandate comes with its own set of penalties including hefty fines (noncompliance with the GDPR could lead to a fine of up to 4% of global annual turnover).

The layering of mandates along with increasing penalties sends a message to financial organizations: dedicate budget, time, and resources to protecting your most-valued assets. The good news is that the message has resonated among many large financial organizations. Most global banks we have worked with already have established cybersecurity programs that fulfill many of the required mandates in part or whole. They have CISOs with policies, training programs, processes, tools, and technologies rolled out to handle access controls, authentication, data protection, vulnerability management, third-party risk management, and other important cyber requirements. 

Biggest Challenge
The greatest challenge for these banks is taming the cyber beast that results from their size and complexity. Most have a cacophony of tools, vendors, and processes, resulting in uneven protection and a lack of visibility into their assets and the cyber risks that may affect them. This is enough to give any board member or senior officer pause when certifying that their organization is in compliance with the NYS DFS mandate.

The good news is that most are moving quickly to improve. To manage their risk and comply with regulations like the NYS DFS Cybersecurity Regulation, most large financial services organizations are performing risk assessments as part of an overall risk-based approach and are deploying cyber-risk and user behavior analytics tools and processes to improve how they protect themselves from external and internal threats. The additional benefit is that these organizations will be able to sign their NYS DFS Cybersecurity Regulation certifications with a more complete knowledge and increased confidence.

Midsize and smaller financial organizations, however, may struggle to comply with the many mandates. They typically have less-mature security programs, lower budgets, and fewer resources. For those banks and any others working toward compliance, a good place to start is to assign an executive responsible for cybersecurity. Using their own experience or that of a third party, they will conduct a comprehensive risk assessment. A risk assessment will include identifying which assets matter most to the organization, those assets that if compromised would affect the organization the most, and a plan to bring the organization up to industry standards and in compliance with the NYS DFS mandate.

The actual covered entities themselves are not the only ones that need to pay attention. Increasingly, regulators are explicitly holding covered entities accountable, regardless of the fact that a third-party service provider may be responsible for a violation. That means that third-party service providers will need to provide the same level of compliance as the entities themselves, regardless of their own location or industry. For example, even those companies operating outside of New York state need to understand and comply with the regulations under which their NYS financial clients are obligated, and those operating outside the EU need to comply with GDPR.

Prioritizing the "crown jewels" of the organization is inherent to adopting a risk-based approach, which is the focus of the NYS DFS mandate. By focusing their programs on the areas of greatest risk, organizations will make the most of their limited resources while protecting the assets that are the most important for the company to be successful.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:26:45 AM
Financial services suffering
I can attest to the fact that increasing compliance burdens are stifling smaller and midsize financial institutions. BankUnited, for instance, completely ditched its entire retail mortgage business a couple of years ago because of compliance costs and complexities.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/4/2018 | 6:45:23 PM
Re: Compliance is impossible
@REISEN: While compliance issues certainly present added costs and complexities for organizations -- sometimes prohibitively so -- I won't go so far as how you put it.

As Terry Ray, CTO of Imperva, suggested recently in a piece for Dark Reading ( link: darkreading.com/putting-the-s-in-sdlc-do-you-know-where-your-data-is/a/d-id/1331185 ), the key is to know where your datasets are and where they are not, and how they are processed and distributed throughout your SDLC. This is basic data hygiene.

And if you practice and keep fundamentally excellent data hygiene (which most organizations do not), then I tend to think that chances are you are going to be 90% in compliance with whatever data-protection regulations that are thrown your way.
User Rank: Ninja
4/2/2018 | 7:16:30 AM
Compliance is impossible
Why?  Because the hackers and actors out there have nothing but time on their hands to think and act - and are always 5 minutes ahead of our best efforts to keep them out.  To be IN compliance is an impossibility so we should always be chasing compliance as best as we can.  
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...