Financial Firms In New York Face New Regulations On Cybersecurity

Major financial firms operating in New York will face stiff cybersecurity obligations under a new regulation introduced in the city. The rules address a broad range of cybersecurity issues, from the maintenance of written policies, governance and auditing, to detection, defence and response measures, testing requirements and incident reporting. Tim Erlin, Director, Security and IT Risk Strategist at Tripwire commented below.

Tim Erlin, Director, Security and IT Risk Strategist at Tripwire:

tim_erlin“The new NY DFS regulation has the same challenges that all cybersecurity regulations face: how to provide prescriptive requirements that are technology agnostic. The DFS regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment. Requiring a risk assessment to which the security controls are ultimately aligned is a smart move. It forces organizations to go beyond just buying the obvious tools to actually understand the threats they face.

The DFS regulation requires many of the basic, foundational controls that most cybersecurity regulations touch on. Covered entities need to implement a cybersecurity program, create and maintain a cybersecurity policy, and designate a qualified CISO that reports to the board on their progress and risks.

The DFS regulation intentionally avoids requiring many specific controls, but does include the best practices of vulnerability assessments and audit trails. However, the regulation includes some surprisingly weak allowances for the timing of vulnerability assessments.  Unless a covered entity’s risk assessment recommends otherwise, the regulation allows covered entities to perform only annual penetration tests and bi-annual vulnerability assessments.  It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business.”

Information Security Buzz