British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

Colin Domoney

Consultant Solution Architect at Veracode

Views 512

British Firms Must Wake Up to The New York DFS Cybersecurity Regulations

15.05.2017 01:00 pm

One in five large businesses have fallen victim to cyber attacks in the past year, according to the British Chambers of Commerce (BCC), with bigger businesses more likely to be targeted than their smaller counterparts.

The poll also found that 21 per cent of businesses believe the threat of cybercrime is preventing their company from growing, yet only a quarter (24 per cent) of those organisations currently have cybersecurity standards in place – which could leave them at risk of further attacks and falling foul of legislation and compliance aimed to safeguard citizen data.

While UK businesses are just starting to get their heads around the incoming general data protection regulation (GDPR) and its ramifications in the event of data loss, the New York Department for Financial Services’ (NYDFS) recent Cybersecurity Regulations are already in force, and financial organisations operating in New York must comply with certain requirements today.

Financial services institutions headquartered outside of New York can’t afford to turn a blind eye to these new requirements. The NYDFS regulations represent a new code of conduct that all organisations operating within New York must adhere to.

The new set of minimum requirements, which took effect earlier this year, are designed to protect customer information in the financial services sector, which includes banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other providers.

To comply with the regulations, all organisations, regardless of size, must have a cybersecurity programme in place that consists of:

  1. A written cybersecurity policy
  2. Limitations on data retention
  3. Limited access privileges
  4. Annual risk assessments of IT systems
  5. A pledge to notify the New York Department of Financial Services Cybersecurity Regulations superintendent when a cybersecurity event or breach occurs

Additional regulations may apply to certain organisations, depending on the number of employees, gross annual revenue and year-end total assets.

For British firms that operate on a global scale, are employers in New York, or – most critically – have customers there, compliance is not optional.

While the regulations introduced are unlikely to be heralded by the industry as revolutionary, they do present both opportunities and challenges for financial services institutions. The NYDFS regulations are relatively broad, but do address application security in more specific ways than previous regulations have. This means that the traditional “tick box” approach is unlikely to appease an auditor, and could lead to fines or other penalties.

To successfully comply, an organisation must directly address key provisions in the regulations and adopt a best-practice framework that embraces compliance standards. In terms of application security, this typically revolves around the following four key best practices:

Track flaws, reviews and compliance through a single platform

Forward-thinking organisations create a single, central repository for information about software flaws, rather than brushing them under the carpet once addressed. This approach both streamlines compliance and maximises the effectiveness of security assessments by consolidating the results from multiple testing methods in one place.

Achieve continuous compliance monitoring

While many organisations approach it this way, compliance shouldn’t be the end-goal here. Ultimately, regulations are part of an overall security framework designed to help companies better protect systems and data. Therefore, an organisation’s cybersecurity initiative must rely on continuous and ongoing compliance.

In terms of application security, ongoing compliance results from ensuring that security testing integrates with the software development lifecycle so that all new software and applications are protected. In addition, organisations should conduct regular discovery scans of web applications within their overall domain. When working with organisations to reduce their web application perimeter risk, Veracode frequently finds 40 per cent more web sites than its customers provided as their input range – often comprised of temporary marketing sites, international domains, and sites obtained via mergers and acquisitions. All such sites must be identified to ensure they are either shut down or continuously monitored for vulnerabilities.

Based on their own application assessments, organisations should also conduct virtual patching for web applications. This should occur regularly alongside any further immediate auditing and protection following a live cybersecurity breach or discovery of vulnerabilities.

Keep non-public data safe, whether in internal applications or expert vendor systems

A key requirement of the NYDFS regulations is that an organisation must protect ‘non-public’ information generated both internally and by a contractor or vendor. Consequently, a business must ensure that cryptography used by an application is robustly designed and is implemented correctly. It must also work towards a programme that holds third-party software to the same security standards as internally developed software.

Automate and audit compliance workflows

A platform that automates workflows, reduces communication overhead and delivers a secure audit trail for compliance processes is key. This, in turn, necessitates the need for a robust policy management framework to document and communicate a security policy. The ability to integrate with other key systems to share critical information, such as overall application security state, listings of all discovered flaws and flaw status information (new, open, fixed or re-opened), also facilitates this process.

With regulations and compliance standards being refined and enhanced across the globe, it is clear that cybersecurity is a growing social, political, and economic issue. This is why it is critical that development teams and security leaders in large organisations place the onus on rigorous data protection and advanced cybersecurity strategies rather than more routine box-ticking exercises. 

 

Latest blogs

Nish Kotecha and Noslen Suárez PhD Finboot

How blockchain can help us have trust in the food we eat

Today’s food supply chains are global, connected and generally efficient, but the COVID-19 pandemic has shone a spotlight on areas of weakness. The urgent need for robust and resilient systems and processes has been brought sharply into focus, and Read more »

Chris Miller RSA Security

Back to Normality: Five Steps to Stay Resilient After Disruption

The financial services sector has lived through many global disruptions, but the nature of recent events has put an unprecedented strain on operational resilience; from needing to ensure critical functions could continue with skeleton staff and Read more »

TYRON JONES n/a

How Technology Has Disrupted the Used Car Buying Experience

We’ve seen many fields change rapidly as a result of the integration of modern technological advancements over the last couple of decades. And it looks like more is coming on the horizon as well, judging by current trends. One of the markets that Read more »

Shuvo G. Roy Mphasis

Reboot 1.0: How financial services technology can enable the supply chain to support a post-lockdown boom

Ground control and Captain Tom When veteran Captain Tom Moore decided to walk one hundred laps of his garden before his 100th birthday to raise funds to support NHS heroes battling Covid-19 from the frontline, he never imagined that he would Read more »

Lisa Gutu Salt Edge

Building a PSD2 compliant channel: challenges and opportunities for financial institutions

PSD2 obliges ASPSPs including banks, e-wallets, prepaid cards and other companies that offer payment accounts to provide at least one channel for secure communication with third party providers (TPP). Even neobanks or e-money institutions, including Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel