New York state officials recently adopted comprehensive cybersecurity regulations focused on preventing cyber-attacks in the financial services sector. These regulations, which took effect on March 1, are the first of their kind in the United States. Previous US cybersecurity laws and regulations date back to the 1980s, but historically focused almost exclusively on punishing hackers or penalizing companies that failed to secure sensitive information.
New York’s new measures require banks, insurance companies and other financial services institutions regulated by the state’s Department of Financial Services (DFS) to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of the state’s massive financial services industry.
These regulations are necessary for consumers. For obvious reasons, financial institutions are a favorite target of hackers. The past year set another record for the number of reported security breaches internationally, with more than half of those being cyber-related. However, these reactionary regulations are indicative of the barriers in place preventing us from fully addressing the ever-increasing number of successful cyber-attacks.
Last year, banks across the world experienced cyber-attacks exploiting the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system. Using stolen SWIFT credentials, hackers were able to steal over $80 (USD) from Bangladesh Bank. SWIFT has since issued warnings that banks should increase security as more attacks are expected to come.
Stateside, the 2014 JP Morgan data breach remains one of the largest in history. Some 83 million customers were affected, with email addresses, phone numbers, social security numbers and other personal information exposed to hackers.
In spite of all this, United States Congress has still not passed a comprehensive cybersecurity law in the 15 years since massive data breaches have become the stuff of the nightly news.
To their credit, US senators Mark Warner (D-VA), Jack Reed (D-RI) and Susan Collins (R-ME) have joined together to introduce a bill to encourage public companies to appoint cybersecurity experts to their boards of directors. A separate group of senators – John Thune (R-SD), Brian Schatz (D-HI), James Risch (R-ID), Maria Cantwell (D-WA) and Bill Nelson (D-FL) – have introduced legislation to increase support available to small businesses to help respond to cyber-threats.
New York’s regulations represent a sea change in how government approaches cybersecurity. The new rules require businesses regulated by the DFS to meet certain minimum standards – including written cybersecurity policies and procedures and hiring a qualified, executive level cybersecurity officer among other things – and to notify the state of successful and attempted attacks within 72 hours.
“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” DFS superintendent Maria T. Vullo said. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”
However, these rules only apply to companies regulated by a single agency. The customers, employees and owners of the tens of thousands of New York businesses not regulated by DFS have no such regulatory framework to ensure their information is protected by a comprehensive cybersecurity program. Step outside of New York state and the same is true of all businesses regulated or unregulated at the state level.
The prospect for congressional action or federal agency regulations is dim, yet in a survey of global business leaders by Duff & Phelps, 86% say their companies will put more resources and time into cybersecurity in the coming year, but will they be the right resources? How many states will follow New York’s lead? Will any states expand the concept to all businesses, not just financial services?
On the vendor side of this equation, Gartner is recommending cybersecurity firms – new and mature – focus on regulated businesses. Those businesses are willing to bet on emerging technologies to solve evolving requirements and threats. That includes small and medium businesses (SMBs) who may not escape state level regulations, but whose need to protect themselves is just as great, considering 60% of all SMBs fail in the wake of a cyber-attack.
The bottom line is that all sectors of commerce and government – big and small – need rigorous cybersecurity measures, regardless of legislative mandates. The increased attention on cybersecurity prevention on the part of legislators is a step in the right direction as it seeks to institutionalize fundamental protections for consumers who are increasingly at risk of a data breach. However, the speed and sophistication of cyber-criminals will require a much more proactive and aggressive approach to security that protects against known and unknown threats, with plans to evolve as the threat landscape changes.
James Lee, Executive Vice President, Waratek
This article appeared in InfoSecurity Magazine, May 2017