New York's Department of Financial Services did something of historic importance this month, and it got scant play in the media--fake news or otherwise.

It's no wonder. July 2017 tied with 2016 for a terrifying achievement: hottest July since that statistic was first recorded 137 years ago. Then of course there was the one-man news industry boon known as the Forty-Fifth President of the United States, which has owned the headlines so far in the month of August.

Still, it's an important story. It hinged on a new requirement that will soon become the law of the state, and hopefully will spread to other states.

The NYFDS promulgates and enforces regulations governing banks, insurance companies, and other financial services institutions that do business in the state.

"Beginning on August 28, 2017, all entities covered by DFS cybersecurity regulation must file certain notifications to the Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred," the New York Department of Financial Services announced on July 31.

According to the NYFSD, a cybersecurity event is reportable if it falls under one of the following categories:

  • The cybersecurity event impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body
  • The cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

The release announces a second deadline of February 15, 2018, by which time all organizations that fall under their oversight have to file a certificate of compliance that details what cybersecurity practices they've implemented the previous year.

The hope here should be that this sets the standard for notification among members of the financial services community, so that government agencies don't decide what companies have to do. In an ideal world, leading organizations would set standards for issues that impact the lives of their clients and their own ability to do business. States really should be in the position of auditing the best practices, cherry-picking what works, and legislating, making the law of the land with intel from the front lines. Compliance is cheaper if you set the standard.

As it stands, there is no financial sector leader in cybersecurity, and the NYFDS should be lauded for setting the standard.

We've known for a long time what needs to be done: encrypting data, regular penetration testing for vulnerabilities, limited access to sensitive information, implementation of multi-factor authentication that includes different categorical elements: knowledge (a password), possession (a token, or text message on a phone), inherence (a biometric feature).

The New York Department of Finance sets a strong standard for what might constitute a life-changing problem for people whose information is involved in a cybersecurity breach (according to the new legislation the only two pieces of leak-able information that are still exempt: age and gender) as well as a company's ability to survive.

Under the NYDFS guidelines, entities must create and maintain a cybersecurity policy.

Think that that sounds like common sense?

The law exists because far too many organizations that report to the department of financial services don't address cybersecurity with their employees in a way that helps ward off the danger of a successful attack.

Here's what needs to be included in that policy:

"(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; 5 (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response."

It's a good list, and about time.

Security should be the cornerstone of any company that makes their dough in an area that requires personally identifiable information.

While it is disappointing that compliance in the realm of cybersecurity practices needs to be regulated, we're long past having time for emotion here. Obviously, it should be considered the most basic kind of self-preserving behavior on the part of a financial institution to maintain a strong cybersecurity policy and enforce it, but we are where we are.

That said, no organization should assume because it is compliant with the new law, it is secure. Just as no organization can assume that because it is secure on any given day, it is secure the next day. Cybersecurity must be a continuous process. Compromises will happen, which is the reason best practices like the ones regulated by the NYDFS is so welcome--and important.

Published on: Aug 21, 2017