New York’s cybersecurity regulations may seem burdensome, but they’re necessary

In recent years, more and more companies across a range of industries have fallen victim to cyber attacks, including Sony Pictures, Yahoo!, and LinkedIn; however, we have yet to see a successful large scale breach of a major U.S. financial institution.

Given the vast influence that large banks hold over both an individual’s personal finances and the greater U.S. economy, there must be systems in place to help prevent cyber attacks, alert customers in the event of a breach, and allow institutions to recover following an attack.


In September, New York Gov. Andrew Cuomo and New York’s top banking regulator wisely proposed new regulations that would require financial institutions, including banks and insurance companies, to follow a new set of cyber protection guidelines. (There are many exemptions for banks that have fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross annual revenue for each of the past three fiscal years, and less than $10 million in year-end total assets.)

The period for comments from the industry closed in November, and the regulation will be effective starting Jan. 1, 2017. Financial institutions then have 180 days to comply with the policy. The new regulations have sparked many discussions about the impact they will have on both the finance industry and cybersecurity broadly.

The New York regulations are a good starting point to help ensure cybersecurity best practices within the financial industry. The new provisions align strongly with the Center for Internet Safety (CIS)’s 20 CIS Controls, which are seen as an industry standard for threat prevention and mitigation for cybersecurity. Earlier this year, the state of California made history by releasing the California Data Breach Report, which recommended that companies operating in California and other states adhere to the CIS Controls.

Several provisions of the New York policy specifically are worth drawing attention to for both their strengths and faults.

500.04 Chief Information Security Officer

The new regulations call for companies to designate a Chief Information Security Officer (CISO) to oversee the implementation and enforcement of the organization’s cybersecurity practices. This is a great step toward creating a more secure financial industry, as making one individual responsible for the coordination of all cybersecurity efforts lowers the chance that something will fall through the cracks. In the current cyber climate it is more important than ever for cybersecurity professionals to have a voice within the C-suite. The provision’s statement that companies can use third-party service providers to fill this role will also allow financial institutions to meet this requirement while using fewer resources. Additionally, it is a thoughtful, appropriate response to the current cybersecurity employment environment, in which there are not enough cybersecurity professionals to meet the demand.

500.05 Penetration Testing and Vulnerability Assessments

Penetration testing, in which assessors try to get past a company’s security measures to test the strength of the protections, is a good start, but broader monitoring tactics would provide a stronger defense against attacks. Instead of or in addition to penetration testing, financial industries should engage in continuous monitoring of their defenses. Continuous monitoring enables companies to spot a potential breach as soon as it occurs and take immediate steps to address it, as opposed to identifying security gaps every once in a while.

500.12 Multifactor Authentication

The focus on multifactor authentication is great from a cybersecurity industry perspective. This tactic has been proven to be extremely effective at protecting companies and their customers’ sensitive data. However, this security system can be expensive to implement, and many organizations will likely struggle to get these mechanisms in place. In the long run, though, multifactor authentication is a solution that will be worth the cost.

500.18: Limited Exemption

Although the intention of this item to protect small businesses from overly burdensome regulation is admirable, in this case it is actually somewhat misguided. Certainly, other provisions of this policy have been criticized for requiring too much from companies, between time, money, and human resources. The less obvious downside to this provision that removes the burden from small companies is that requiring them to comply with these regulations will actually help them and their clients in the long run. A full 60 percent of small companies go out of business within six months of a cyber attack, according to The US’ National Cyber Security Alliance. Small companies often have more to lose than large companies when their data is breached, so it is critical for them to have systems to protect their data. Implementing good cybersecurity hygiene when the company is still small can be less expensive than waiting until the company grows, and it is a good practice to have good cybersecurity habits ingrained in the company as it expands and new people come on board. Despite the potential financial stress these regulations may pose for small companies, it is truly in their best interest to implement them. From the policy side, lawmakers should strive to create a middle ground that minimizes exemptions for smaller companies without being too burdensome in order to promote the long-term success of small businesses.

Although New York’s regulations are far from perfect, they are a step in the right direction toward creating a more secure cyber environment for the financial industry.

Chris Ensey is COO of Dunbar Security Solutions.

The views expressed by authors are their own and not the views of The Hill.