Using the New NYDFS Cybersecurity Regulation to “Lock the Data Vault” for Financial Institutions

The cybersecurity landscape is becoming increasingly volatile for financial institutions that are scrambling to fight off a barrage of cyberattacks like bots, credential stuffing, account takeovers and more. Those attacks are taking the form of banking Trojans along with ATM and mobile malware. With open banking on the horizon, financial institutions will increase their risks incrementally with the new services they offer. The protection of personal data, accounts and reputation is at stake.

With the deluge of breaches in the last year, it is a wonder that any personal data is left to protect that hasn’t already been sold on the dark web. These devastating trends have prompted lawmakers in New York State to institute the New York State Department of Financial Services Cybersecurity Regulation (NYDFS). This new regulation, which went into effect in March, outlines cybersecurity standards for financial institutions including credit unions, health insurers, investment companies, licensed lenders, life insurance companies, mortgage brokers, savings and loans associations, private bankers, offices of foreign banks and commercial banks.

The new regulation requires organizations to review their security risk and develop policies that meet compliance standards relating to data governance, classification, access controls, system monitoring and incident response. Organizations that are regulated are now required to adhere to these guidelines:

• Consumers’ private data must be protected by a cybersecurity initiative
• The board of directors or a senior officer must produce cybersecurity policy
• Protection of data and systems must be overseen by a CISO
• Third-party providers must have appropriate security protections
• Data breach and cyberattack plans must be in place to ensure the protection of financial institutions’ and customers’ data

Organizations need to put all the above into place or face possible fines and business disruptions.

What NYDFS Requires When Working with Third Parties

One of the most significant outcomes of NYDFS is how it will change the way financial institutions manage and secure the supply chain.

In 2018, supply chain attacks were nearly double the amount of the year before, according to the Symantec Internet Security Threat Report.* Clearly, cybercriminals are testing and finding successful new attack strategies and then rolling them out across industries. They are escalating their efforts and maximizing their results with fewer attacks. These attacks have put pressure on the entire supply chain – especially on smaller banks that may not have the IT expertise to defend themselves.

The new regulation requires third-party suppliers to meet minimum cybersecurity requirements. Additionally, financial organizations are required to evaluate the cybersecurity posture of their third parties on a regular basis by following precise policies and procedures. These policies provide guidelines that include using multi-factor authentication, encryption and other updated technologies to accelerate the detection of attacks and fraudulent transactions, as well as notifying the state, customers and suppliers of any breaches.

With more complicated procedures and possibly hundreds of suppliers, it is no longer possible to manage third-party vendors with paper. The latest technologies are required to not only vet third parties and their partners, but also continuously scan these partners for vulnerabilities cybercriminals could exploit. The next step is alerting partners to these vulnerabilities and resolving them. While it takes significant effort to manage these relationships, new automated technologies are able to do much of the heavy lifting. 

Complying With NYDFS

Complying with NYDFS means that financial institutions must have a much more intimate knowledge of their third-party suppliers. They will have to know how critical these relationships are, as well as what data they have access to. Limiting access to critical data is a step toward shoring up the risk posture of the entire supply chain. Banks should demand and enforce data removal after a certain period of time and limit access when relevant. Third parties must also provide visibility into how any data accessed is being utilized.

Even before engaging a new supplier, financial institutions should review a vendor’s security posture and understand the systems they are running and the protocols and even security technologies they have in place. Should a cybersecurity problem present itself, banks should be able to engage with the supplier and pinpoint the issue so that the supplier is aware of the problem, understands the issue and knows how to fix it. Suppliers should also allow organizations to view their breach logs on an ongoing basis.

Financial institutions will have to clearly communicate to all their suppliers the liabilities and consequences of not adhering to the new regulation. Every part of the supply chain will now be held accountable. By February 15, 2020, organizations will need to demonstrate their compliance with the new regulation. This job will fall to the board of directors or a senior officer. This means that cybersecurity, including third-party cybersecurity, will need to be a priority. Automation is the key to defending against any compliance violations while securing the supply chain at the same time.

* https://www.symantec.com/blogs/threat-intelligence/istr-24-cyber-security-threat-landscape