Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why NY State Financial Firms Should Consider a New Regulation the Floor, Not the Ceiling

As major milestone dates imposed by the pioneering and prescriptive New York State Department of Financial Services Cybersecurity Regulation (PDF) kick in on its first anniversary, now is an opportune time to consider the impact they will have on your financial services organization.

Financial services organizations outside of New York state should also keep an eye on the status of this first-of-its-kind regulation, as other states may follow suit.

Most notably, the regulation raises the bar in terms of security accountability, by requiring CISOs to annually update their board of directors (or senior officer if a board doesn't exist) on the progress of their security program, as well as annually certify compliance to regulators. In addition, as an additional testament to how valuable regulators believe a well-informed board is to the success of a security program, the board must also initially approve the organization's written security policies.

The introduction of this regulation is evidence that security concerns remain at the top of the agenda of priorities for state and federal regulators in the banking and financial services industry. Regulators recognize that the threat posed by cybercriminals over the past decade has continually and significantly increased.

Of the 23 components listed in the regulation, the 16 actionable components center around the creation of a policy-based security program that includes proactive measures to help prevent breaches and ensure that response plans are in place. This is a big shift from past regulatory focus for financial services companies, which was more about incident reporting. The New York state regulation specifically requires senior-level signoff on the existence and appropriateness of key security controls.

Non-compliance with the regulation can lead to fines or program reviews. The exact scope of those consequences is not completely known but it is safe to say, you don't want to be the first to find out.

Here are the upcoming milestones:

  • Feb. 15: Covered entities are required to submit the first certification under the regulation for Notices to Superintendent, 500.17(b) on or prior to this date.
  • March 1: The one-year transitional period ends. Covered entities are required to be in compliance with the requirements of sections Chief Information Security Officer 500.04(b), Penetration Testing and Vulnerability Assessments 500.05, Risk Assessment 500.09, Multi-Factor Authentication 500.12 and Training and Monitoring 500.14(b).
  • Sept. 3: The 18-month transitional period ends. Covered entities are required to be in compliance with the requirements of sections Audit Trail 500.06, Application Security 500.08, Limitations on Data Retention 500.13, Training and Monitoring 500.14(a) and Encryption of Nonpublic Information 500.15.
  • March 1, 2019: The two-year transitional period ends. Covered entities are required to be in compliance with the requirements of Third Party Service Provider Security Policy 500.11.

The impact of these regulations will vary significantly among organizations. For the most part, the expectations reflect a best practices-based security approach and overlap with other existing regulations and requirements with which you are already likely familiar. The higher level of accountability for documenting policies and procedures by boards of directors and CISOs may be new to some companies, however.

The good news is this regulation may give CISOs a direct opportunity to document the current state of controls and pave a path forward. Security departments may get a boost in stature as well. To maximize the opportunity with the level of visibility and accountability that is required, CISOs should have a well-thought-out roadmap for complying with the regulation that includes solid cost projections and feasible implementation timelines.

In most companies, CISOs won't have delivery responsibility for all elements cited in the regulation, but because they are the ones affirming compliance to regulators, they should ensure proper due diligence and signoff all the way down the organizational chain. A robust process must be agreed to by various stakeholders, including auditors, risk managers, legal and compliance and senior management.

Philosophy and culture play an important role in how this regulation will impact a particular organization. Organizations typically fall into two camps when it comes to regulatory mandates: one camp sees regulations as the "ceiling" and build their program only to meet the highest control that is required, while the other camp sees regulations as the "floor" that they build upon, taking the view that required controls are only the minimum standard that they need to meet.

Since it is likely that more regulations will be introduced over time, those organizations that consider regulatory standards the foundation and add on higher best practices for their security program have a much easier time adapting to evolving requirements.

We'll continue to watch for the emergence of similar regulations in other states, as well as the impact of non-compliance to the New York State Cybersecurity Regulation.

Matt Martin is VP of financial services security solutions at Trustwave.



Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More