Trust But Verify: New York Cyber Regs Mean Managing Third-Party Security
This year, the beginning of September marked a critical implementation deadline for some of the toughest new cybersecurity regulations in the country – the New York State Department of Financial Services (NYDFS) 23NYCRR 500. This set of regulations mandates that businesses supervised by the NYDFS – including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies – protect consumers and trading partners from cyber attacks and data breaches.
This is because New York, arguably the pre- and post-Brexit financial center of the world, is implementing these regulations as a “direct response to the increasing number of cyber attacks on insurers and financial institutions,” observes the Harvard Law School Forum on Corporate Governance and Financial Regulation. Cyber attack examples include the 2015 attack on Anthem Inc., in which 78 million unencrypted records containing personal information were stolen, and the 2016 cyber attack on the central bank of Bangladesh, in which stolen SWIFT banking credentials and malware were used to illegally transfer $81 million of funds held at the Federal Reserve Bank of New York.
The value of personal records, such as a name paired with a social security number and a birth date, is nearly limitless on the dark web. Regulations like this are a response to the growing problem of identity theft and online fraud schemes.
In practical terms, as of this fall, the regulated businesses in New York are required to:
- Run a cybersecurity program aimed at protecting consumers
- Name a designated chief information security officer (CISO)
- Utilize multifactor authentication
- Implement and maintain an approved written policy
- Report hacking attempts to the state within 72 hours
Many states could expect similar legislation in the near future, and this mandate represents a meaningful shift in the way that businesses must not only protect their own technical infrastructure, but also that of third-party trading partners. Businesses must assume responsibility for IT security around shared customer information, even if they don’t manage that information themselves. What’s more, strict reporting requirements will become the norm, and businesses should expect to provide reports on penetration testing, secure development, risk assessment, multifactor authentication and encryption.
The challenges of 23NYCRR and other regulations can certainly be daunting, especially for smaller businesses that may be impacted, but tackling the seemingly insurmountable task of compliance can be achieved if businesses establish and execute against a solid cybersecurity plan. The first steps include designating a CISO and other parties within the organization who are responsible for the security plan and its implementation. Typically, the CISO will work with the chief information officer (CIO) and report to the CEO and board.
Once a chain of command is established, the process typically begins with an audit designed to reveal gaps in the security infrastructure and areas that require attention for compliance. This can be as simple as documenting existing security processes and controls that are already in place or implementing new procedures and/or hardware and software solutions for physical, network and endpoint security.
Organizations that have a solid security posture only need to validate, document and fine tune many of their existing policies and procedures for regulatory compliance. Some companies and their IT teams have worked with consulting firms to achieve compliance, and leveraging consulting firms and outsourcers has helped many companies avoid going it alone and “reinventing the wheel” when it comes to implementation deadlines.
The same can be said for fixes that may need to be made to physical, device and network security. An ample number of turnkey, cloud-based solutions can be used for point-to-point network security, as well as device and laptop encryption. These solutions enable rapid compliance with the regulations and allow IT departments to outsource the hard and often tedious work associated with securing every machine and network connection in the organization.
Having a reliable outsourced security partner is particularly useful when it comes to third parties, which represent a big security challenge because, while they are critical business partners, there is often very little visibility into their security practices and how they handle personal and financial data. An example is insurance brokers, which usually represent multiple companies. An outside security vendor can prevent internal IT teams from getting overtaxed by chasing down issues created by those third parties. At AlertSec, we call this the “trust but verify” policy; it serves a critical role in the overall security posture for many financial and insurance firms, because we specialize in “owning the problem” to ensure that third-party systems and data are secure and compliant.
It is clear that the price of implementing a sound IT security chain is insignificant when compared to the cost of a data breach, and we see security as much more than just an IT department issue. We view it as a board-level concern that has gone from a cost of doing business to a cost of staying in business.
After all, data breaches can be much more than the hard dollar cost of any losses incurred. Not only is there damage to a company’s reputation, but security breaches take away a company’s focus on its core business, resulting in revenue loss and diluted shareholder value over time. This is why companies – whether facing a deadline or not – must make IT security a top priority, not only to ensure compliance, but to also ensure long-term business continuity.