The First of Many

A step in the right direction has been taken to ensure financial institutions can defend themselves against the pernicious environment that is cyberspace. That is because in September, New York’s Department of Financial Services released its proposed cybersecurity regulations with the aim doing just that.

The policies are both timely and necessary. The new rules arrive not too long after the Bangladeshi central bank suffered a brutal $81 million cyber heist earlier in the year. Other Southern-Asian central banks also admitted to suffering similar fates. It exposed the vulnerabilities in the system used for cross-border transfers of money, known as Swift, as well as the lacklustre security parameters within the workings of the breached banks.

Furthermore, many financial institutions across the world, like central banks, are becoming prime targets for cybercriminals. According to a report from Websense Security Labs in 2015, the average number attacks against financial services institutions was higher than that of companies in other industries by four times.

Some institutions, in light of such realities, have taken the initiative to better protect themselves. The Bank of England conducted stress tests on the cyber defences of the country’s big banks in reaction to the Swift breach from earlier in the year. The European Central Bank has been gathering data on cyber breaches taking place in the eurozone’s biggest banks.

But New York’s proposed regulation, officially called ‘Cybersecurity Requirements for Financial Services Companies’, if passed, could be the broadest regulation of its kind to be imposed on the financial sector of New York. Additionally, and importantly, it addresses the critical loopholes highlighted in cyber attacks which have taken place prior. These new rules aim to ensure that all companies, big and small, have a cybersecurity program in place. Though some companies may already have one in place, it will become mandatory for companies to establish such programs, regardless of whether they operate in banking or insurance or any other financial service.

These compulsory rules will apply to any individuals or entities operating under licenses or equivalent authorisation granted under New York laws. Smaller entities, defined according to their annual revenues, will be permitted certain exemptions. Though they will be still be required to adhere to most of the regulation’s requirements.

The cybersecurity program imposed by these newly proposed policies aims to ensure that theses individuals and entities can accomplish a number of feats to better protect their data. This includes being able to identify cybersecurity risks (both internal and external), detect “cybersecurity events” such as a breach, and also use defensive infrastructures to protect sensitive information. Even third parties working the data systems of financial services companies must comply with such cybersecurity practices.

What They Need To Do

Additionally, there are other much-needed requirements that these companies would have to follow. To begin with, larger entities will need to implement the role of chief information security officer into their ranks. This CISO will be responsible for implementing and overseeing the operation of the company’s cybersecurity program, reviewing and reporting to the governing bodies. This regular reporting will make company executives more knowledgeable of the company’s cybersecurity efforts, enabling them to make well-informed decisions and cope with attacks more effectivity.

Another important requirement imposed by the new regulations is the mandatory use of multi-factor authentication and encryption. Some companies may already use such security parameters, but the new regulations will make it a strict requirement for all entities with limited exceptions. Networks or servers containing sensitive information will be better protected against cybercriminals with the use of multi-factor authentication, and even more so with the use of encryption. Cybercriminals will often target those who are easiest to hack, and thus by building networks that are harder to breach by using these security parameters, hackers are less inclined to conduct their malicious work.

Equally as critical is the regular education and training that staff will have to receive under the new regulations. Clicking on malicious links in emails, downloading content from unverified sources and sharing passwords are some of the pitfalls employees can fall into with potentially devastating effects. Of all of the components of a computer systems, human beings are the biggest weakness when it comes to security; they are prone to making mistakes and misjudgements. It is, therefore, important that companies make sure that their employees get the necessary training they need when operating computers or other devices connected to networks containing sensitive information. Encouraging security-conscious habits will go a long way in preventing attacks in the future. Social engineering is often one of the main ways hackers are able to get into systems, and so better training will certainly be needed to protect against this.

For the companies that have already implemented some of the requirements presented in the new cybersecurity regulations, not much will change. But a universal set of rules to ensure all financial entities are using the best cybersecurity practices shows the magnitude of the dangers existing in cyberspace. Thus, if the regulations are passed, it is likely to encourage other states to do the same. Other industry regulators may also be inclined to take similar steps. So in January 2017, when the regulations are set to take effect if passed, the financial sector in New York may be the first to be subject to such obligations, but it certainly will not be the last.