Major financial firms operating in New York will face stiff cybersecurity obligations under a new regulation introduced in the city. The rules address a broad range of cybersecurity issues, from the maintenance of written policies, governance and auditing, to detection, defence and response measures, testing requirements and incident reporting. Tim Erlin, Director, Security and IT Risk Strategist at Tripwire commented below.
Tim Erlin, Director, Security and IT Risk Strategist at Tripwire:
“The new NY DFS regulation has the same challenges that all cybersecurity regulations face: how to provide prescriptive requirements that are technology agnostic. The DFS regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment. Requiring a risk assessment to which the security controls are ultimately aligned is a smart move. It forces organizations to go beyond just buying the obvious tools to actually understand the threats they face.
The DFS regulation requires many of the basic, foundational controls that most cybersecurity regulations touch on. Covered entities need to implement a cybersecurity program, create and maintain a cybersecurity policy, and designate a qualified CISO that reports to the board on their progress and risks.
The DFS regulation intentionally avoids requiring many specific controls, but does include the best practices of vulnerability assessments and audit trails. However, the regulation includes some surprisingly weak allowances for the timing of vulnerability assessments. Unless a covered entity’s risk assessment recommends otherwise, the regulation allows covered entities to perform only annual penetration tests and bi-annual vulnerability assessments. It’s well accepted that infrequent vulnerability assessments aren’t enough, and it would be very surprising for any risk assessment to conclude that a bi-annual vulnerability assessment would be sufficient to protect a business.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…