Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

3/30/2018
10:30 AM
Steven Grossman
Steven Grossman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cybersecurity Mandates Keep On Coming

There's a good reason for the proliferation of mandates like the one in New York state, but companies may struggle to answer this question: "Are we in compliance?"

Financial organizations are no strangers to regulation, but when it comes to cybersecurity, new mandates keep cropping up, and for good reason. According to a study from Accenture and the Ponemon Institute, the global financial services sector has experienced a 40% increase in the cost of cyberattacks during the past three years. Cyber heists against a string of banks (such as $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank) and high-profile data breaches of well-known global financial organizations have demonstrated that financial companies are top targets for cybercriminals.

With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. One of the most recent mandates is the New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation. While the mandate first took effect March 1, 2017, important deadlines arrived on February 15 and March 1, 2018, including the requirement for a senior officer to certify that their organization is in compliance with the initial set of mandates. It's the first cyber regulation of its kind requiring that a specific individual attest to compliance.

The NYS DFS Cybersecurity Regulation is meant to help financial organizations establish a risk-based security program. Most provisions include the phrase "based upon the covered entity's risk assessment…" Requirements include hiring a chief information security officer (CISO), implementing multifactor authentication, performing continuous monitoring or annual penetration testing, providing notification within 72 hours of a breach occurring, monitoring for anomalous behavior, and more.

The regulation is mandatory for large global financial organizations that have operations in New York state and smaller organizations that have as few as 10 employees, with a $5 million gross revenue and $10+ million in total assets. As of March 1, covered financial institutions are on the hook for all but the few of the regulation's mandates that do not take effect until September 2018 or March 2019.

As they work to meet the NYS DFS compliance mandates, many of those same financial organizations are also working to comply with the upcoming EU General Data Protection Regulation (GDPR), which takes effect May 25 and affects any company that collects data on EU citizens, as well as the SWIFT Customer Security Controls Framework, which took effect January 2018 and requires banks that use the SWIFT global messaging platform to implement controls on SWIFT-connected infrastructure, such as multifactor authentication, continuous monitoring, and anomalous behavior detection. Each mandate comes with its own set of penalties including hefty fines (noncompliance with the GDPR could lead to a fine of up to 4% of global annual turnover).

The layering of mandates along with increasing penalties sends a message to financial organizations: dedicate budget, time, and resources to protecting your most-valued assets. The good news is that the message has resonated among many large financial organizations. Most global banks we have worked with already have established cybersecurity programs that fulfill many of the required mandates in part or whole. They have CISOs with policies, training programs, processes, tools, and technologies rolled out to handle access controls, authentication, data protection, vulnerability management, third-party risk management, and other important cyber requirements. 

Biggest Challenge
The greatest challenge for these banks is taming the cyber beast that results from their size and complexity. Most have a cacophony of tools, vendors, and processes, resulting in uneven protection and a lack of visibility into their assets and the cyber risks that may affect them. This is enough to give any board member or senior officer pause when certifying that their organization is in compliance with the NYS DFS mandate.

The good news is that most are moving quickly to improve. To manage their risk and comply with regulations like the NYS DFS Cybersecurity Regulation, most large financial services organizations are performing risk assessments as part of an overall risk-based approach and are deploying cyber-risk and user behavior analytics tools and processes to improve how they protect themselves from external and internal threats. The additional benefit is that these organizations will be able to sign their NYS DFS Cybersecurity Regulation certifications with a more complete knowledge and increased confidence.

Midsize and smaller financial organizations, however, may struggle to comply with the many mandates. They typically have less-mature security programs, lower budgets, and fewer resources. For those banks and any others working toward compliance, a good place to start is to assign an executive responsible for cybersecurity. Using their own experience or that of a third party, they will conduct a comprehensive risk assessment. A risk assessment will include identifying which assets matter most to the organization, those assets that if compromised would affect the organization the most, and a plan to bring the organization up to industry standards and in compliance with the NYS DFS mandate.

The actual covered entities themselves are not the only ones that need to pay attention. Increasingly, regulators are explicitly holding covered entities accountable, regardless of the fact that a third-party service provider may be responsible for a violation. That means that third-party service providers will need to provide the same level of compliance as the entities themselves, regardless of their own location or industry. For example, even those companies operating outside of New York state need to understand and comply with the regulations under which their NYS financial clients are obligated, and those operating outside the EU need to comply with GDPR.

Prioritizing the "crown jewels" of the organization is inherent to adopting a risk-based approach, which is the focus of the NYS DFS mandate. By focusing their programs on the areas of greatest risk, organizations will make the most of their limited resources while protecting the assets that are the most important for the company to be successful.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:26:45 AM
Financial services suffering
I can attest to the fact that increasing compliance burdens are stifling smaller and midsize financial institutions. BankUnited, for instance, completely ditched its entire retail mortgage business a couple of years ago because of compliance costs and complexities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2018 | 6:45:23 PM
Re: Compliance is impossible
@REISEN: While compliance issues certainly present added costs and complexities for organizations -- sometimes prohibitively so -- I won't go so far as how you put it.

As Terry Ray, CTO of Imperva, suggested recently in a piece for Dark Reading ( link: darkreading.com/putting-the-s-in-sdlc-do-you-know-where-your-data-is/a/d-id/1331185 ), the key is to know where your datasets are and where they are not, and how they are processed and distributed throughout your SDLC. This is basic data hygiene.

And if you practice and keep fundamentally excellent data hygiene (which most organizations do not), then I tend to think that chances are you are going to be 90% in compliance with whatever data-protection regulations that are thrown your way.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/2/2018 | 7:16:30 AM
Compliance is impossible
Why?  Because the hackers and actors out there have nothing but time on their hands to think and act - and are always 5 minutes ahead of our best efforts to keep them out.  To be IN compliance is an impossibility so we should always be chasing compliance as best as we can.  
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...