New York is the financial capital of the US and the world. That puts tremendous pressure on the New York State (NYS) Department of Financial Services to ensure its regulatory regime is both fair and effective. A large part of that today revolves around ensuring New York’s businesses have effective cyber governance as well as the right people, processes, and technology in place to mitigate serious cyber risks.
That’s why the state last year announced a major update to its cybersecurity regulation for financial services firms, which include strict new requirements for complying organizations. It re-emphasizes the importance of a data-centric security strategy.
The Department of Financial Services supervises and regulates nearly 3,000 financial institutions with assets totalling over $8.8 trillion, including hundreds of insurers, banks and other financial services players. It describes its cybersecurity regulations as “nation leading” and – given surging volumes of cyber-threats and data breaches – they need to be.
The sector suffered the second-highest volume of data breaches in the US last year, with incidents in the US as a whole climbing to 744. That’s up an astonishing 439% from 2020. The sector is also the second-most expensive for data breach costs, at an average of $5.9m per incident, as of last year.
Against this backdrop, the new regulation mandates a string of cybersecurity best practice updates—covering areas from governance and policy to vulnerability management, identity security, incident response, application security, monitoring and training. Among these are:
“Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack.”
This is where data-centric security comes in. Specifically, the amendment requires:
“As part of its cybersecurity program, [based on its risk assessment,] each covered entity shall implement [controls, including] a written policy requiring encryption that meets industry standards, to protect non-public information held or transmitted by the covered entity both in transit over external networks and at rest.”
It also demands that “covered entities” ensure their third-party service providers follow the same rules—a nod to the growing risk of supply chain breaches.
At the heart of the cybersecurity challenge for the financial services industry is the wealth of customer and internal corporate data that businesses hold. That’s why any efforts to comply with the amended NYS cybersecurity regulation should begin with a data-centric security approach. At a bare minimum, it means that if threat actors manage to circumvent perimeter security, they will be unable to monetize any sensitive data that they access.
So what does this mean in practice? There are several key elements:
The IMF claimed recently that more than 20,000 attacks on the banking sector have caused losses exceeding $12bn over the past 20 years—with “extreme losses” more than quadrupling since 2017 to $2.5bn. It’s reassuring therefore that NYS regulators are raising the bar for cybersecurity in the region. Now it’s time for financial institutions to get their compliance house in order.