New York is the financial capital of the US and the world. That puts tremendous pressure on the New York State (NYS) Department of Financial Services to ensure its regulatory regime is both fair and effective. A large part of that today revolves around ensuring New York’s businesses have effective cyber governance as well as the right people, processes, and technology in place to mitigate serious cyber risks.
That’s why the state last year announced a major update to its cybersecurity regulation for financial services firms, which include strict new requirements for complying organizations. It re-emphasizes the importance of a data-centric security strategy.
Time for change
The Department of Financial Services supervises and regulates nearly 3,000 financial institutions with assets totalling over $8.8 trillion, including hundreds of insurers, banks and other financial services players. It describes its cybersecurity regulations as “nation leading” and – given surging volumes of cyber-threats and data breaches – they need to be.
The sector suffered the second-highest volume of data breaches in the US last year, with incidents in the US as a whole climbing to 744. That’s up an astonishing 439% from 2020. The sector is also the second-most expensive for data breach costs, at an average of $5.9m per incident, as of last year.
What’s in the new regulation?
Against this backdrop, the new regulation mandates a string of cybersecurity best practice updates—covering areas from governance and policy to vulnerability management, identity security, incident response, application security, monitoring and training. Among these are:
“Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack.”
This is where data-centric security comes in. Specifically, the amendment requires:
“As part of its cybersecurity program, [based on its risk assessment,] each covered entity shall implement [controls, including] a written policy requiring encryption that meets industry standards, to protect non-public information held or transmitted by the covered entity both in transit over external networks and at rest.”
It also demands that “covered entities” ensure their third-party service providers follow the same rules—a nod to the growing risk of supply chain breaches.
A data-centric security approach
At the heart of the cybersecurity challenge for the financial services industry is the wealth of customer and internal corporate data that businesses hold. That’s why any efforts to comply with the amended NYS cybersecurity regulation should begin with a data-centric security approach. At a bare minimum, it means that if threat actors manage to circumvent perimeter security, they will be unable to monetize any sensitive data that they access.
So what does this mean in practice? There are several key elements:
- Automated data discovery and classification. This should be done on a continuous basis as data flows in and out of the business. AI tooling is essential here given the vast volumes of data involved and the dynamic nature of the environment.
- Encryption or tokenization (at rest and in transit). This protects the data from prying eyes and makes it unusable to threat actors. Tokenization is particularly useful as it means the data can be used in use cases like AI analytics without compromising its security.
- Robust access controls. These should include role-based access control (RBAC) and multi-factor authentication (MFA). The latter is mentioned explicitly in the regulation.
- Continuous monitoring and auditing. This will help raise a red flag if threat actors breach the organization, accelerate incident response, and streamline compliance reporting.
- Data governance. The regulation mandates sufficient resources are made available to implement and maintain an effective cybersecurity program, and that the CISO informs senior officials promptly of any material incident
The IMF claimed recently that more than 20,000 attacks on the banking sector have caused losses exceeding $12bn over the past 20 years—with “extreme losses” more than quadrupling since 2017 to $2.5bn. It’s reassuring therefore that NYS regulators are raising the bar for cybersecurity in the region. Now it’s time for financial institutions to get their compliance house in order.
