[BreachExchange] New York’s cybersecurity regulations may seem burdensome, but they’re necessary

[Audrey McNeil]

http://thehill.com/blogs/congress-blog/technology/310734-new-yorks-
cybersecurity-regulations-may-seem-burdensome-but

In recent years, more and more companies across a range of industries have
fallen victim to cyber attacks, including Sony Pictures, Yahoo!, and
LinkedIn; however, we have yet to see a successful large scale breach of a
major U.S. financial institution.

Given the vast influence that large banks hold over both an individual’s
personal finances and the greater U.S. economy, there must be systems in
place to help prevent cyber attacks, alert customers in the event of a
breach, and allow institutions to recover following an attack.

In September, New York Gov. Andrew Cuomo and New York’s top banking
regulator wisely proposed new regulations that would require financial
institutions, including banks and insurance companies, to follow a new set
of cyber protection guidelines. (There are many exemptions for banks that
have fewer than 1,000 customers in each of the last three calendar years,
less than $5 million in gross annual revenue for each of the past three
fiscal years, and less than $10 million in year-end total assets.)

The period for comments from the industry closed in November, and the
regulation will be effective starting Jan. 1, 2017. Financial institutions
then have 180 days to comply with the policy. The new regulations have
sparked many discussions about the impact they will have on both the
finance industry and cybersecurity broadly.

The New York regulations are a good starting point to help ensure
cybersecurity best practices within the financial industry. The new
provisions align strongly with the Center for Internet Safety (CIS)’s 20
CIS Controls, which are seen as an industry standard for threat prevention
and mitigation for cybersecurity. Earlier this year, the state of
California made history by releasing the California Data Breach Report,
which recommended that companies operating in California and other states
adhere to the CIS Controls.

Several provisions of the New York policy specifically are worth drawing
attention to for both their strengths and faults.

500.04 Chief Information Security Officer

The new regulations call for companies to designate a Chief Information
Security Officer (CISO) to oversee the implementation and enforcement of
the organization’s cybersecurity practices. This is a great step toward
creating a more secure financial industry, as making one individual
responsible for the coordination of all cybersecurity efforts lowers the
chance that something will fall through the cracks. In the current cyber
climate it is more important than ever for cybersecurity professionals to
have a voice within the C-suite. The provision’s statement that companies
can use third-party service providers to fill this role will also allow
financial institutions to meet this requirement while using fewer
resources. Additionally, it is a thoughtful, appropriate response to the
current cybersecurity employment environment, in which there are not enough
cybersecurity professionals to meet the demand.

500.05 Penetration Testing and Vulnerability Assessments

Penetration testing, in which assessors try to get past a company’s
security measures to test the strength of the protections, is a good start,
but broader monitoring tactics would provide a stronger defense against
attacks. Instead of or in addition to penetration testing, financial
industries should engage in continuous monitoring of their defenses.
Continuous monitoring enables companies to spot a potential breach as soon
as it occurs and take immediate steps to address it, as opposed to
identifying security gaps every once in a while.

500.12 Multifactor Authentication

The focus on multifactor authentication is great from a cybersecurity
industry perspective. This tactic has been proven to be extremely effective
at protecting companies and their customers’ sensitive data. However, this
security system can be expensive to implement, and many organizations will
likely struggle to get these mechanisms in place. In the long run, though,
multifactor authentication is a solution that will be worth the cost.

500.18: Limited Exemption

Although the intention of this item to protect small businesses from overly
burdensome regulation is admirable, in this case it is actually somewhat
misguided. Certainly, other provisions of this policy have been criticized
for requiring too much from companies, between time, money, and human
resources. The less obvious downside to this provision that removes the
burden from small companies is that requiring them to comply with these
regulations will actually help them and their clients in the long run. A
full 60 percent of small companies go out of business within six months of
a cyber attack, according to The US’ National Cyber Security Alliance.
Small companies often have more to lose than large companies when their
data is breached, so it is critical for them to have systems to protect
their data. Implementing good cybersecurity hygiene when the company is
still small can be less expensive than waiting until the company grows, and
it is a good practice to have good cybersecurity habits ingrained in the
company as it expands and new people come on board. Despite the potential
financial stress these regulations may pose for small companies, it is
truly in their best interest to implement them. From the policy side,
lawmakers should strive to create a middle ground that minimizes exemptions
for smaller companies without being too burdensome in order to promote the
long-term success of small businesses.

Although New York’s regulations are far from perfect, they are a step in
the right direction toward creating a more secure cyber environment for the
financial industry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161216/a153dbf3/attachment.html>