Experts weigh in on New York’s cybersecurity rules taking effect this week

Regulations are good first step toward better consumer, business protection nationwide

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The New York Depart­ment of Finan­cial Service’s mon­u­men­tal new rules are on the hori­zon. The changes require banks and oth­er finan­cial ser­vices com­pa­nies to prove they are using com­pre­hen­sive cyber­se­cu­ri­ty poli­cies and practices.

Much more than just the pro­tec­tion of indi­vid­u­als’ per­son­al data and cash is at stake. Cyber attacks to steal or cor­rupt data, hijack finan­cial trans­ac­tions, or knock out crit­i­cal sys­tems rep­re­sent a poten­tial­ly cat­a­stroph­ic threat.

Relat­ed arti­cle: An FAQ on New York’s new cyber­se­cu­ri­ty rules

Designed to off­set that threat, New York’s Cyber­se­cu­ri­ty Require­ments for Finan­cial Ser­vices Com­pa­nies is being close­ly watched by law­mak­ers and agen­cies in oth­er states con­sid­er­ing sim­i­lar mech­a­nisms to com­pel orga­ni­za­tions to do a bet­ter job secur­ing their networks.

With the new rules set to take effect Wednes­day, March 1, Third­Cer­tain­ty elicit­ed these reac­tions from cyber­se­cu­ri­ty thought leaders:

Michael Patterson, Plixer International CEO
Michael Pat­ter­son, Plix­er Inter­na­tion­al CEO

Michael Pat­ter­son, CEO, Plix­er Inter­na­tion­al. Forc­ing busi­ness­es to take basic cyber­se­cu­ri­ty pre­cau­tions is a great first step toward secur­ing not only the busi­ness­es them­selves, but also con­sumers. Tak­ing a hard look at third-par­ty ven­dors also is good prac­tice since 63 per­cent of all data breach­es can be attrib­uted to a third-par­ty ven­dor. … Rules, reg­u­la­tions, best prac­tices and reme­di­a­tion pro­vide the foun­da­tion for com­pa­nies to pro­tect their cus­tomers as well as themselves.

Balázs Scheidler, Balabit CTO and co-founder
Balázs Schei­dler, Bal­abit CTO and co-founder

Balázs Schei­dler, CTO and co-founder, Bal­abit. Under the new reg­u­la­tions, banks now are required to scru­ti­nize their sup­pli­ers and to report on breach­es that affect them. … Requir­ing breach­es to be report­ed is a good first step, but is it enough? A more proac­tive approach would be to require close mon­i­tor­ing and analy­sis of sup­pli­ers’ activ­i­ties in real time with auto­mat­ed tools. This would short­en breach and threat dis­cov­ery, enabling insti­tu­tions to avert or min­i­mize breach impacts.

Adam Levin, chairman and co-founder of and CyberScout (formerly IDT911)
Adam Levin, chair­man and co-founder of and Cyber­Scout (for­mer­ly IDT911)

Adam Levin, chair­man, Cyber­Scout. (Full dis­clo­sure: Cyber­Scout spon­sors Third­Cer­tain­ty.) These reg­u­la­tions have teeth—and may be exact­ly what’s need­ed. Stand by for an explo­sion of con­trolled chaos, as some 1,900 banks, insur­ers, mort­gage bro­ker­ages and asset man­age­ment firms—companies that col­lec­tive­ly man­age $2.9 tril­lion in assets—scramble to estab­lish qual­i­ty cyber­se­cu­ri­ty pro­grams. These com­pa­nies must take steps to ensure the sound­ness of New York state’s finan­cial ser­vices industry.

Jeff Hill, Prevalent director of product management
Jeff Hill, Preva­lent direc­tor of prod­uct management

Jeff Hill, direc­tor of prod­uct man­age­ment, Preva­lent. These new rules are tes­ta­ment to the fact that more and more, reg­u­la­tors, state agen­cies, investors and oth­er stake­hold­ers are con­nect­ing the dots between finan­cial health and cyber­se­cu­ri­ty. New York state’s new rules are par­tic­u­lar­ly for­ward-look­ing in that they empha­size the impor­tance of under­stand­ing and man­ag­ing third-par­ty risk. New York is forc­ing a crit­i­cal ele­ment of its eco­nom­ic infra­struc­ture to cov­er all its bases.

David Vergara, VASCO Data Security head of global product marketing
David Ver­gara, VASCO Data Secu­ri­ty head of glob­al prod­uct marketing

David Ver­gara, head of glob­al prod­uct mar­ket­ing, VASCO Data Secu­ri­ty. In recent times, the reg­u­la­to­ry pen­du­lum has begun to swing in favor of a “lighter” approach for banks, finan­cial ser­vices and for oth­er indus­tries, too. It’s good to see, how­ev­er, that good sense reg­u­la­tions like this one have sur­vived to offer addi­tion­al con­sumer pro­tec­tion via thor­ough eval­u­a­tions of third-par­ty ven­dors, com­pre­hen­sive risk assess­ments, and advo­ca­cy for stronger mul­ti­fac­tor authentication.

More on need for new cyber­se­cu­ri­ty rules:
New York finan­cial reg­u­la­tions could sig­nal cyber­se­cu­ri­ty sea change nationwide
Despite revi­sion, cyber­se­cu­ri­ty rules for New York finan­cial sec­tor still have teeth
$81 mil­lion cyber heist offers lessons for finan­cial institutions



Posted in Cybersecurity, Featured Story