British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

Colin Domoney

Consultant Solution Architect at Veracode

Views 487

British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

15.05.2017 01:00 pm

One in five large businesses have fallen victim to cyber attacks in the past year, according to the British Chambers of Commerce (BCC), with bigger businesses more likely to be targeted than their smaller counterparts.

The poll also found that 21 per cent of businesses believe the threat of cybercrime is preventing their company from growing, yet only a quarter (24 per cent) of those organisations currently have cybersecurity standards in place – which could leave them at risk of further attacks and falling foul of legislation and compliance aimed to safeguard citizen data.

While UK businesses are just starting to get their heads around the incoming general data protection regulation (GDPR) and its ramifications in the event of data loss, the New York Department for Financial Services’ (NYDFS) recent Cybersecurity Regulations are already in force, and financial organisations operating in New York must comply with certain requirements today.

Financial services institutions headquartered outside of New York can’t afford to turn a blind eye to these new requirements. The NYDFS regulations represent a new code of conduct that all organisations operating within New York must adhere to.

The new set of minimum requirements, which took effect earlier this year, are designed to protect customer information in the financial services sector, which includes banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other providers.

To comply with the regulations, all organisations, regardless of size, must have a cybersecurity programme in place that consists of:

  1. A written cybersecurity policy
  2. Limitations on data retention
  3. Limited access privileges
  4. Annual risk assessments of IT systems
  5. A pledge to notify the New York Department of Financial Services Cybersecurity Regulations superintendent when a cybersecurity event or breach occurs

Additional regulations may apply to certain organisations, depending on the number of employees, gross annual revenue and year-end total assets.

For British firms that operate on a global scale, are employers in New York, or – most critically – have customers there, compliance is not optional.

While the regulations introduced are unlikely to be heralded by the industry as revolutionary, they do present both opportunities and challenges for financial services institutions. The NYDFS regulations are relatively broad, but do address application security in more specific ways than previous regulations have. This means that the traditional “tick box” approach is unlikely to appease an auditor, and could lead to fines or other penalties.

To successfully comply, an organisation must directly address key provisions in the regulations and adopt a best-practice framework that embraces compliance standards. In terms of application security, this typically revolves around the following four key best practices:

Track flaws, reviews and compliance through a single platform

Forward-thinking organisations create a single, central repository for information about software flaws, rather than brushing them under the carpet once addressed. This approach both streamlines compliance and maximises the effectiveness of security assessments by consolidating the results from multiple testing methods in one place.

Achieve continuous compliance monitoring

While many organisations approach it this way, compliance shouldn’t be the end-goal here. Ultimately, regulations are part of an overall security framework designed to help companies better protect systems and data. Therefore, an organisation’s cybersecurity initiative must rely on continuous and ongoing compliance.

In terms of application security, ongoing compliance results from ensuring that security testing integrates with the software development lifecycle so that all new software and applications are protected. In addition, organisations should conduct regular discovery scans of web applications within their overall domain. When working with organisations to reduce their web application perimeter risk, Veracode frequently finds 40 per cent more web sites than its customers provided as their input range – often comprised of temporary marketing sites, international domains, and sites obtained via mergers and acquisitions. All such sites must be identified to ensure they are either shut down or continuously monitored for vulnerabilities.

Based on their own application assessments, organisations should also conduct virtual patching for web applications. This should occur regularly alongside any further immediate auditing and protection following a live cybersecurity breach or discovery of vulnerabilities.

Keep non-public data safe, whether in internal applications or expert vendor systems

A key requirement of the NYDFS regulations is that an organisation must protect ‘non-public’ information generated both internally and by a contractor or vendor. Consequently, a business must ensure that cryptography used by an application is robustly designed and is implemented correctly. It must also work towards a programme that holds third-party software to the same security standards as internally developed software.

Automate and audit compliance workflows

A platform that automates workflows, reduces communication overhead and delivers a secure audit trail for compliance processes is key. This, in turn, necessitates the need for a robust policy management framework to document and communicate a security policy. The ability to integrate with other key systems to share critical information, such as overall application security state, listings of all discovered flaws and flaw status information (new, open, fixed or re-opened), also facilitates this process.

With regulations and compliance standards being refined and enhanced across the globe, it is clear that cybersecurity is a growing social, political, and economic issue. This is why it is critical that development teams and security leaders in large organisations place the onus on rigorous data protection and advanced cybersecurity strategies rather than more routine box-ticking exercises. 

 

Latest blogs

John Burgos Mindgate Solutions

Overcoming anxiety around mobile payments & digital payments - In the South Asia Pacific

Innovation and technology usually go hand in hand.  Therefore, for innovation to be fully realized, the technology that enables the innovation must be adopted as well.  During the last 5 years, we have had innovations from Google, Apple, Read more »

Stuart Robertson iDelta

Finance Sector PLCs Hold the Key to Economic Recovery

We have started to see the devastating impact the Coronavirus will have on our economy.  The travel, leisure and hospitality industry redundancies are rapidly mounting up with restaurant and bar owners facing no option but to shut up Read more »

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel