Security Orchestration addresses latest cybersecurity regulation plaguing financial services industry.
On March 1, 2017 the New York Department of Financial Services implemented the “Cybersecurity Requirements for Financial Services” regulation – 23 NYCRR 500“. These new rules are in response to the growing concern that financial firms who actively conduct business in New York State are facing increased cyber threats with little oversight putting consumers and businesses at risk. As active partners with some of New York’s major financial institutions, Siemplify is providing a brief note on key takeaways and how we are helping the New York Financial Services industry meet these new regulatory needs.
What are the Cybersecurity Requirements and Implications of this new regulation?
These revisions are primarily seen as a set of recommendations for Financial Executives and Senior Security Leaders. Though the regulations come short of offering direct prescriptive advice, there are hard deadlines put in place. These deadlines are forcing significant pressure on the Financial Services industry to prove they have taken action on the recommendations. A few key rules pertaining to leadership warn that:
- CISO’s or 3rd party vendors must be on staff.
- Documented responsibility is held by CISO’s for their security apparatus.
- Documented proof of meaningful employee training and incident response reporting can be provided to regulators.
Additionally, if a financial services organization is licensed and/or regulated by the New York State DFS, they are now required to assess their “security risk profile” and design a security program that addresses their organization’s risks, as well as file a certification that confirms annual compliance with the regulations. A summary of key directives include:
- Implementing a cybersecurity program that encompasses identification and triage of internal and external cybersecurity risks, maintains network access/authentication logs, can detect and respond to events and fulfills applicable regulatory reporting obligations.
- Designation of a Chief Information Security Officer (CISO) and utilization of qualified cybersecurity personnel (may be from a third party service provider).
- Continuous monitoring or periodic penetration testing and vulnerability assessments.
- Provision and requirement that all personnel attend cybersecurity awareness training.
- Ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications.
- Assessing risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually.
- Implement controls, including encryption, to protect non-public data in transit and at rest.
- Establishment of an incident response plan.
Importance of an effective Incident Response Platform?
Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor recently stated that, “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations”. It is important to mention that midlevel and large firms alike will struggle to implement all of the recommendations. While there are many points outlined, there is great benefit in the overall emphasis that companies need to better contextualize their data and alerts, unite disparate security tools, establish consistent workflow processes and be capable of providing meaningful reporting and visibility throughout the incident response process.
How can Siemplify Help?
ThreatNexus is a security orchestration and incident response platform that mitigates many of the potential pitfalls brought on by 23 NYCRR 500. The ability to have security teams conduct day to day security operations through a single interface is changing the way that our financial services clients are able to orchestrate their threat management process. This regulation puts a spotlight on the need for a centralized platform, or “workbench”, for security analysts to drive efficiency: a platform that provides the full scope of threat response to unify people, process, and technology, but also one that standardizes processes and arms analysts with the tools to effectively triage, investigate and respond to all types of threats.
As there are sure to be realizations and complexities with the new regulations, Siemplify will continue to monitor trends and key takeaways from our existing implementations with leading financial organizations. If you would like to reach out to a Siemplify thought leader, please email firstname.lastname@example.org or visit https://www.siemplify.co/contact/.