How Financial Services Organizations Should Respond to New York's Cybersecurity Regulation
“The financial services industry is a significant target of cyber security threats ...given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted.” - The New York Department of Financial Services, 23 NYCRR 500
The average financial services organization experiences 65% more cyber attacks than the average organization across all industries. It’s no surprise that the financial services industry wears a target on its back. After all, finance offers the most direct route to a highly sought after resource: money. And as phishing and other security attacks become more sophisticated, the number of attacks continues to rise. According to a recent report by IBM X Force, financial services saw a 29% increase in cyber attacks from 2015 to 2016, with 1,310 attacks in 2015 and 1,684 in 2016.
But in March 2017, the New York Department of Financial Services (DFS) said enough was enough, and instituted a comprehensive cybersecurity regulation for financial institutions. We broke down exactly what you need to know about the 23 NYCRR 500 regulation in a previous post, but essentially, its security guidelines are “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” The regulation applies to any organization that has a permit with and is regulated by the DFS - that includes the majority of banks, insurance companies, and financial institutions doing business in New York, regardless of whether or not they are headquartered there.
One key component of the DFS regulation is multi-factor authentication (MFA). With 81% of data breaches involving weak or stolen credentials, second factors have become imperative. In section 500.12, the DFS requires all covered entities to have MFA in place by March 2018: “each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.” The section goes on to require that MFA be used for any employee accessing an organization’s assets from an external network and specifies MFA requirements for third party service providers as well.
But the DFS’ regulation isn’t just about MFA – far from it. Financial institutions shouldn’t be looking for point solutions to simply check the boxes associated with this regulation. MFA is just one element of a comprehensive security strategy. Organizations should think about securing all their applications, devices, and data. That’s very challenging in today’s world. IT can no longer draw a “perimeter” around the people and technology it needs to protect; they need to secure everyone (employees, partners, contractors, etc.) and everything (laptops, desktops, mobile devices, wearables, etc.). And the best way to do this is through an identity driven security strategy.
Financial institutions should enable a secure, and productive, mobile workforce. They, like all security-conscious organizations, should think about having one, central location to securely manage all their users, groups and devices and to enforce password policies with single sign-on. They should think about implementing strong authentication everywhere with MFA, automating deprovisioning with lifecycle management, and enabling visibility and response by integrating identity data with the rest of their security ecosystem. And, they should think about doing all this without compromising their end users’ productivity. Regulations like these can be a great launching pad for organizations to make a bold strategic move to solve the much larger identity and security problem.