Fortune and other outlets have reported that New York’s governor and top banking regulator have just proposed regulations that would require the state’s banks to establish definitive cyber security programs to protect customer and institutional data. Requirements would include (but not be limited to): hiring a chief information security officer; implementing infrastructure, policies and practices to detect and thwart attacks; and notifying the NY Department of Financial Services of a material breach within 72 hours. IT security experts from VASCO Data Security and Lastline commented below.
John Gunn, VP of Communications at VASCO Data Security:
“While we applaud the positive elements of the proposal, we believe it was a mistake to abandon the requirement for multifactor authentication for consumer banking that Benjamin Lawsky had previously called for. Multifactor authentication has become almost transparent for banking customers with the integration of smartphones, and it is miles ahead of 30-year old user name and password methods. Many leading banks already use multifactor authentication to secure their customers’ accounts and this protection should be universal.”
Bert Rankin, CMO at Lastline:
“It is at this point almost inconceivable that any major financial institution either would not have already implemented such cyber defense solutions and practices, or would resist doing so. One of the most crucial, largely unaddressed issues is what types of cyber defense strategies the regulations might ultimately require.
“The fact is that malware behaviors and attack strategies mutate and evolve so quickly that measures focused on any one or two specific defense strategies would be antiquated in months, if not in weeks.
“The ability to detect highly evasive malware is at the heart of cyber security. It should be part of the core of effective regulation, and should actually be a lynchpin in every organization’s cyber defense and incident response.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.