British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

  • Colin Domoney, Consultant Solution Architect at Veracode

  • 15.05.2017 01:00 pm
  • undisclosed

One in five large businesses have fallen victim to cyber attacks in the past year, according to the British Chambers of Commerce (BCC), with bigger businesses more likely to be targeted than their smaller counterparts.

The poll also found that 21 per cent of businesses believe the threat of cybercrime is preventing their company from growing, yet only a quarter (24 per cent) of those organisations currently have cybersecurity standards in place – which could leave them at risk of further attacks and falling foul of legislation and compliance aimed to safeguard citizen data.

While UK businesses are just starting to get their heads around the incoming general data protection regulation (GDPR) and its ramifications in the event of data loss, the New York Department for Financial Services’ (NYDFS) recent Cybersecurity Regulations are already in force, and financial organisations operating in New York must comply with certain requirements today.

Financial services institutions headquartered outside of New York can’t afford to turn a blind eye to these new requirements. The NYDFS regulations represent a new code of conduct that all organisations operating within New York must adhere to.

The new set of minimum requirements, which took effect earlier this year, are designed to protect customer information in the financial services sector, which includes banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other providers.

To comply with the regulations, all organisations, regardless of size, must have a cybersecurity programme in place that consists of:

  1. A written cybersecurity policy
  2. Limitations on data retention
  3. Limited access privileges
  4. Annual risk assessments of IT systems
  5. A pledge to notify the New York Department of Financial Services Cybersecurity Regulations superintendent when a cybersecurity event or breach occurs

Additional regulations may apply to certain organisations, depending on the number of employees, gross annual revenue and year-end total assets.

For British firms that operate on a global scale, are employers in New York, or – most critically – have customers there, compliance is not optional.

While the regulations introduced are unlikely to be heralded by the industry as revolutionary, they do present both opportunities and challenges for financial services institutions. The NYDFS regulations are relatively broad, but do address application security in more specific ways than previous regulations have. This means that the traditional “tick box” approach is unlikely to appease an auditor, and could lead to fines or other penalties.

To successfully comply, an organisation must directly address key provisions in the regulations and adopt a best-practice framework that embraces compliance standards. In terms of application security, this typically revolves around the following four key best practices:

Track flaws, reviews and compliance through a single platform

Forward-thinking organisations create a single, central repository for information about software flaws, rather than brushing them under the carpet once addressed. This approach both streamlines compliance and maximises the effectiveness of security assessments by consolidating the results from multiple testing methods in one place.

Achieve continuous compliance monitoring

While many organisations approach it this way, compliance shouldn’t be the end-goal here. Ultimately, regulations are part of an overall security framework designed to help companies better protect systems and data. Therefore, an organisation’s cybersecurity initiative must rely on continuous and ongoing compliance.

In terms of application security, ongoing compliance results from ensuring that security testing integrates with the software development lifecycle so that all new software and applications are protected. In addition, organisations should conduct regular discovery scans of web applications within their overall domain. When working with organisations to reduce their web application perimeter risk, Veracode frequently finds 40 per cent more web sites than its customers provided as their input range – often comprised of temporary marketing sites, international domains, and sites obtained via mergers and acquisitions. All such sites must be identified to ensure they are either shut down or continuously monitored for vulnerabilities.

Based on their own application assessments, organisations should also conduct virtual patching for web applications. This should occur regularly alongside any further immediate auditing and protection following a live cybersecurity breach or discovery of vulnerabilities.

Keep non-public data safe, whether in internal applications or expert vendor systems

A key requirement of the NYDFS regulations is that an organisation must protect ‘non-public’ information generated both internally and by a contractor or vendor. Consequently, a business must ensure that cryptography used by an application is robustly designed and is implemented correctly. It must also work towards a programme that holds third-party software to the same security standards as internally developed software.

Automate and audit compliance workflows

A platform that automates workflows, reduces communication overhead and delivers a secure audit trail for compliance processes is key. This, in turn, necessitates the need for a robust policy management framework to document and communicate a security policy. The ability to integrate with other key systems to share critical information, such as overall application security state, listings of all discovered flaws and flaw status information (new, open, fixed or re-opened), also facilitates this process.

With regulations and compliance standards being refined and enhanced across the globe, it is clear that cybersecurity is a growing social, political, and economic issue. This is why it is critical that development teams and security leaders in large organisations place the onus on rigorous data protection and advanced cybersecurity strategies rather than more routine box-ticking exercises. 

 

Other Blogs