Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why NY State Financial Firms Should Consider a New Regulation the Floor, Not the Ceiling

As major milestone dates imposed by the pioneering and prescriptive New York State Department of Financial Services Cybersecurity Regulation (PDF) kick in on its first anniversary, now is an opportune time to consider the impact they will have on your financial services organization.

Financial services organizations outside of New York state should also keep an eye on the status of this first-of-its-kind regulation, as other states may follow suit.

Most notably, the regulation raises the bar in terms of security accountability, by requiring CISOs to annually update their board of directors (or senior officer if a board doesn't exist) on the progress of their security program, as well as annually certify compliance to regulators. In addition, as an additional testament to how valuable regulators believe a well-informed board is to the success of a security program, the board must also initially approve the organization's written security policies.

The introduction of this regulation is evidence that security concerns remain at the top of the agenda of priorities for state and federal regulators in the banking and financial services industry. Regulators recognize that the threat posed by cybercriminals over the past decade has continually and significantly increased.

Of the 23 components listed in the regulation, the 16 actionable components center around the creation of a policy-based security program that includes proactive measures to help prevent breaches and ensure that response plans are in place. This is a big shift from past regulatory focus for financial services companies, which was more about incident reporting. The New York state regulation specifically requires senior-level signoff on the existence and appropriateness of key security controls.

Non-compliance with the regulation can lead to fines or program reviews. The exact scope of those consequences is not completely known but it is safe to say, you don't want to be the first to find out.

Here are the upcoming milestones:

  • Feb. 15: Covered entities are required to submit the first certification under the regulation for Notices to Superintendent, 500.17(b) on or prior to this date.
  • March 1: The one-year transitional period ends. Covered entities are required to be in compliance with the requirements of sections Chief Information Security Officer 500.04(b), Penetration Testing and Vulnerability Assessments 500.05, Risk Assessment 500.09, Multi-Factor Authentication 500.12 and Training and Monitoring 500.14(b).
  • Sept. 3: The 18-month transitional period ends. Covered entities are required to be in compliance with the requirements of sections Audit Trail 500.06, Application Security 500.08, Limitations on Data Retention 500.13, Training and Monitoring 500.14(a) and Encryption of Nonpublic Information 500.15.
  • March 1, 2019: The two-year transitional period ends. Covered entities are required to be in compliance with the requirements of Third Party Service Provider Security Policy 500.11.

The impact of these regulations will vary significantly among organizations. For the most part, the expectations reflect a best practices-based security approach and overlap with other existing regulations and requirements with which you are already likely familiar. The higher level of accountability for documenting policies and procedures by boards of directors and CISOs may be new to some companies, however.

The good news is this regulation may give CISOs a direct opportunity to document the current state of controls and pave a path forward. Security departments may get a boost in stature as well. To maximize the opportunity with the level of visibility and accountability that is required, CISOs should have a well-thought-out roadmap for complying with the regulation that includes solid cost projections and feasible implementation timelines.

In most companies, CISOs won't have delivery responsibility for all elements cited in the regulation, but because they are the ones affirming compliance to regulators, they should ensure proper due diligence and signoff all the way down the organizational chain. A robust process must be agreed to by various stakeholders, including auditors, risk managers, legal and compliance and senior management.

Philosophy and culture play an important role in how this regulation will impact a particular organization. Organizations typically fall into two camps when it comes to regulatory mandates: one camp sees regulations as the "ceiling" and build their program only to meet the highest control that is required, while the other camp sees regulations as the "floor" that they build upon, taking the view that required controls are only the minimum standard that they need to meet.

Since it is likely that more regulations will be introduced over time, those organizations that consider regulatory standards the foundation and add on higher best practices for their security program have a much easier time adapting to evolving requirements.

We'll continue to watch for the emergence of similar regulations in other states, as well as the impact of non-compliance to the New York State Cybersecurity Regulation.

Matt Martin is VP of financial services security solutions at Trustwave.

6882_9abdbeb5-6dc3-47d6-8332-b06b79f40724

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo