The New York DFS cybersecurity regulations: Non-compliance is not an option

22 May 2017

Colin Domoney, Consultant Solution Architect, Veracode

In the past year alone, one in five large business reported falling victim to a cyberattack, with the British Chambers of Commerce finding that bigger businesses are at greater risk of being attacked than their smaller counterparts.

Over one fifth of companies reported, in the same study, that the threat of cybercrime is stopping their business from growing. However, less than a quarter of firms actually have cybersecurity standards in place, which makes enforcing best practice throughout the organisation a significant challenge, ultimately putting the organisation at greater risk of data loss and non-compliance.

Less than a year away, UK businesses are just now starting to get their heads around the European general data protection regulation (GDPR) and the possible consequences for non-compliance. Yet organisations operating in New York have a more urgent security standard to tackle.

The New York Department for Financial Services’ (NYDFS) Cybersecurity Regulations were recently put into force. Representing a new code of conduct that all firms operating within New York must adhere to, organisations across the globe must now ensure that they meet the minimum security requirements.

What you need to know

Designed to protect the data of customers in the financial services sector, the regulations apply to banks, trust companies, mortgage lenders, insurance companies, brokers, investment companies, and other providers of financial products and services.

No matter what the size, it’s imperative that all organisations operating in the financial services industry in New York have a cybersecurity programme that consists of:

  1. A written cybersecurity policy
  2. Limitations on data retention
  3. Limited access privileges
  4. Annual risk assessments of IT systems
  5. A pledge to notify the New York Department of Financial Services Cybersecurity Regulations superintendent when a cybersecurity event or breach occurs

In some instances, depending on the gross annual revenue, year-end total assets and number of employees, there are further regulations that organisations should be aware of. But no matter how big the operation, for British firms that operate in, or have employees or customers in New York, ignorance is not an excuse. Non-compliance is not an option.

From a security industry perspective, it’s clear that the regulations should be viewed by financial institutions as minimum requirements, rather than the recipe for a comprehensive security programme. But one area where the NYDFS regulations have gone further than previous instances is in providing more specific minimum standards for application security.

While application security is often treated as a tick-box exercise, the new regulations now require organisations to take a more holistic approach if they are to avoid fines or other penalties. To comply, companies must ensure that they adopt a four-pronged best-practice framework that revolves around the following areas:

Centralise flaw information

Creating a single, central repository where organisations can maintain information about software flaws is more effective than simply brushing them under the rug once addressed. Not only does this streamline compliance, but it enables security assessments to be conducted more effectively by consolidating all the results across the multiple testing methods.

Continuous compliance monitoring

While many organisations already take this approach, compliance can’t be the end goal in terms of application security. The motivation for these regulations is to support companies in better protecting data and systems. So, any cybersecurity initiatives adopted must be continuously applied to ensure ongoing compliance.

To achieve ongoing compliance for application security, vulnerability testing must be integrated within the software development lifecycle (SDLC) to ensure that software and applications are secure by design.

It’s also important for organisations to conduct discovery scans of web applications of their entire domain on a regular basis. When working with an organisation to determine and reduce its web application perimeter risk, Veracode often finds up to 40 per cent more web sites than the customer initially provides as the input range. These forgotten sites are often international domains, temporary or outdated marketing sites, and any sites that have been obtained via mergers or acquisitions. Identifying such sites enables companies to either continuously monitor them for vulnerabilities or, where possible, shut them down to reduce the attack surface.

Organisations should also operate virtual patching for web applications, based on their own application assessments. This should be conducted regularly, in conjunction with any immediate protection and auditing after a live cybersecurity breach or following the discovery of vulnerabilities.

No matter where it is, keep non-public data safe

One of the key requirements of the NYDFS regulations is that companies must protect ‘non-public’ data that is generated both internally and by third-party contractors, vendors or service providers. As such, businesses must ensure that the cryptography deployed by an application is designed robustly and correctly implemented.

Organisations should also build a cybersecurity programme that holds its third-party software providers to the same security standards that internal teams are held to.

Automate and audit

By introducing a platform that can automate workflows, the communication overhead is reduced and a secure audit trail for compliance processes can be delivered. In turn, this necessitates a robust policy management framework that documents and communicates a security policy.

Integrating into other key systems that share critical information, such as the listings of all discovered flaws or flaw status information (whether new, open, fixed or re-opened), can further facilitate this process.

Industry pioneers

As new standards and regulations for cybersecurity compliance are refined and enhanced across the world, it is clear that cybersecurity is becoming an ever-greater social, political, and economic issue. That’s why it’s never been more essential for development teams and security leaders to put a robust cybersecurity and data protection strategy in place, that maintains security right from software development to active threat management.

While far from revolutionary, the NYDFS regulations present an interesting opportunity for the New York’s financial services industry to become a golden beacon of beat practice for introducing and maintaining a secure culture in their organisation. These new standards are the first of many that, in time, we hope, will put to bed the routine box-ticking cybersecurity exercises that ultimately leave organisations uncompliant and at a greater cyber risk.