Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:30 AM
Steven Grossman
Steven Grossman
Connect Directly
E-Mail vvv

The Cybersecurity Mandates Keep On Coming

There's a good reason for the proliferation of mandates like the one in New York state, but companies may struggle to answer this question: "Are we in compliance?"

Financial organizations are no strangers to regulation, but when it comes to cybersecurity, new mandates keep cropping up, and for good reason. According to a study from Accenture and the Ponemon Institute, the global financial services sector has experienced a 40% increase in the cost of cyberattacks during the past three years. Cyber heists against a string of banks (such as $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank) and high-profile data breaches of well-known global financial organizations have demonstrated that financial companies are top targets for cybercriminals.

With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. One of the most recent mandates is the New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation. While the mandate first took effect March 1, 2017, important deadlines arrived on February 15 and March 1, 2018, including the requirement for a senior officer to certify that their organization is in compliance with the initial set of mandates. It's the first cyber regulation of its kind requiring that a specific individual attest to compliance.

The NYS DFS Cybersecurity Regulation is meant to help financial organizations establish a risk-based security program. Most provisions include the phrase "based upon the covered entity's risk assessment…" Requirements include hiring a chief information security officer (CISO), implementing multifactor authentication, performing continuous monitoring or annual penetration testing, providing notification within 72 hours of a breach occurring, monitoring for anomalous behavior, and more.

The regulation is mandatory for large global financial organizations that have operations in New York state and smaller organizations that have as few as 10 employees, with a $5 million gross revenue and $10+ million in total assets. As of March 1, covered financial institutions are on the hook for all but the few of the regulation's mandates that do not take effect until September 2018 or March 2019.

As they work to meet the NYS DFS compliance mandates, many of those same financial organizations are also working to comply with the upcoming EU General Data Protection Regulation (GDPR), which takes effect May 25 and affects any company that collects data on EU citizens, as well as the SWIFT Customer Security Controls Framework, which took effect January 2018 and requires banks that use the SWIFT global messaging platform to implement controls on SWIFT-connected infrastructure, such as multifactor authentication, continuous monitoring, and anomalous behavior detection. Each mandate comes with its own set of penalties including hefty fines (noncompliance with the GDPR could lead to a fine of up to 4% of global annual turnover).

The layering of mandates along with increasing penalties sends a message to financial organizations: dedicate budget, time, and resources to protecting your most-valued assets. The good news is that the message has resonated among many large financial organizations. Most global banks we have worked with already have established cybersecurity programs that fulfill many of the required mandates in part or whole. They have CISOs with policies, training programs, processes, tools, and technologies rolled out to handle access controls, authentication, data protection, vulnerability management, third-party risk management, and other important cyber requirements. 

Biggest Challenge
The greatest challenge for these banks is taming the cyber beast that results from their size and complexity. Most have a cacophony of tools, vendors, and processes, resulting in uneven protection and a lack of visibility into their assets and the cyber risks that may affect them. This is enough to give any board member or senior officer pause when certifying that their organization is in compliance with the NYS DFS mandate.

The good news is that most are moving quickly to improve. To manage their risk and comply with regulations like the NYS DFS Cybersecurity Regulation, most large financial services organizations are performing risk assessments as part of an overall risk-based approach and are deploying cyber-risk and user behavior analytics tools and processes to improve how they protect themselves from external and internal threats. The additional benefit is that these organizations will be able to sign their NYS DFS Cybersecurity Regulation certifications with a more complete knowledge and increased confidence.

Midsize and smaller financial organizations, however, may struggle to comply with the many mandates. They typically have less-mature security programs, lower budgets, and fewer resources. For those banks and any others working toward compliance, a good place to start is to assign an executive responsible for cybersecurity. Using their own experience or that of a third party, they will conduct a comprehensive risk assessment. A risk assessment will include identifying which assets matter most to the organization, those assets that if compromised would affect the organization the most, and a plan to bring the organization up to industry standards and in compliance with the NYS DFS mandate.

The actual covered entities themselves are not the only ones that need to pay attention. Increasingly, regulators are explicitly holding covered entities accountable, regardless of the fact that a third-party service provider may be responsible for a violation. That means that third-party service providers will need to provide the same level of compliance as the entities themselves, regardless of their own location or industry. For example, even those companies operating outside of New York state need to understand and comply with the regulations under which their NYS financial clients are obligated, and those operating outside the EU need to comply with GDPR.

Prioritizing the "crown jewels" of the organization is inherent to adopting a risk-based approach, which is the focus of the NYS DFS mandate. By focusing their programs on the areas of greatest risk, organizations will make the most of their limited resources while protecting the assets that are the most important for the company to be successful.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:26:45 AM
Financial services suffering
I can attest to the fact that increasing compliance burdens are stifling smaller and midsize financial institutions. BankUnited, for instance, completely ditched its entire retail mortgage business a couple of years ago because of compliance costs and complexities.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/4/2018 | 6:45:23 PM
Re: Compliance is impossible
@REISEN: While compliance issues certainly present added costs and complexities for organizations -- sometimes prohibitively so -- I won't go so far as how you put it.

As Terry Ray, CTO of Imperva, suggested recently in a piece for Dark Reading ( link: darkreading.com/putting-the-s-in-sdlc-do-you-know-where-your-data-is/a/d-id/1331185 ), the key is to know where your datasets are and where they are not, and how they are processed and distributed throughout your SDLC. This is basic data hygiene.

And if you practice and keep fundamentally excellent data hygiene (which most organizations do not), then I tend to think that chances are you are going to be 90% in compliance with whatever data-protection regulations that are thrown your way.
User Rank: Ninja
4/2/2018 | 7:16:30 AM
Compliance is impossible
Why?  Because the hackers and actors out there have nothing but time on their hands to think and act - and are always 5 minutes ahead of our best efforts to keep them out.  To be IN compliance is an impossibility so we should always be chasing compliance as best as we can.  
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
PUBLISHED: 2021-06-18
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
PUBLISHED: 2021-06-18
No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.