A Weekend in Incident Response #20: New Regulations on Reporting Cyber Security Breaches for New York’s Financial Institutions

Faced with the growing threat of cyber attacks and the challenges involved in recovering from various cyber security events, New York state’s authorities have rolled out new cyber security regulations that apply to financial institutions operating within the state. New York’s Department of Financial Services (DFS) has issued the final Cybersecurity Requirements for Financial Services Companies, affecting “Covered Entities”, defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, establishing a set of standards that have to do with reporting cyber security breaches to regulators, in addition to implementing specific cyber security policies.

Cyber Security Programs and Incident Response Plans

The new regulation aims to protect New York’s banks and insurance providers against cyber attacks, along with protecting sensitive consumer data. To that end, the rules – that went into effect on March 1 – prescribe a wide-ranging set of requirements for financial services companies in terms of specific steps they are supposed to take to be better prepared for cyber security incidents and how and when they must notify authorities of cyber attacks on their computer systems and networks.

According to the regulations, financial services companies are required to create a cyber security program that is expected to protect their information systems against cyber attacks. A covered entity’s cyber security program should be focused on identifying internal and external cyber security risks, detecting cyber security events, responding to detected cyber security events, recovering from cyber security events, and complying with reporting obligations.

As far as cyber security policies are concerned, covered entities are required to implement them in order to be able to address systems and network security, information security, data governance, customer data privacy, risk assessment, and incident response, among other aspects of cyber security.

Reporting Incidents

When it comes to incident response plans, the new rules state that reporting cyber security  incidents to regulators must be a paramount part of those plans. Regulated entities are required to confirm they gathered documentation regarding cyber security events and report them to various government and supervisory bodies, as part of their previously devised incident response plans.

Compiling documentation in reference to cyber security events, creating appropriate reports, and notifying authorities can be a tedious task for any organisation’s CSIRT. Companies can face tough consequences if they don’t complete the documentation in a timely and proper manner. Companies often require the solution of a cyber incident response platform that can generate reports on cyber security incidents automatically and in various formats, and is also capable of tracking and collecting evidence, helping their cyber security teams compile the required documentation faster and effortlessly.

These types of platforms also can also help companies’ CSIRTs predict and detect cyber security breaches and respond as fast as possible, which is one of the main capabilities the new cyber security regulations require from covered entities.

A Weekend in Incident Response #13: Can Smaller Banks Comply with New York’s Proposed Cyber Security Rules?

Back in September, 2016, the New York State Department of Financial Services proposed a set of cyber security rules aimed at improving security among financial institutions. If accepted, the proposed rules will make it mandatory for banks and other financial institutions, as well as insurance providers, to develop a cyber security plan, and appoint a CISO (Chief Information Security Officer), who would enforce that plan in case of a cyber security incident.

While the state’s intention with the proposal of these rules is to help protect financial institutions from cybercrime, with many of the affected organizations provisionally stating that they are in favor of them, there were many institutions that didn’t seem to welcome the new requirements. Smaller institutions were concerned that these requirements would become an unnecessary additional financial burden for them. However, there are solutions that could help make the implementation of these requirements more cost effective for all organizations, including the smaller providers of financial services.

Cybersecurity Programs and Policies at the Center of the Requirements

There are a few main areas encompassed in New York State’s Proposed Cybersecurity Requirements for Financial Services Companies:

● Establishment of a Cybersecurity Program
● Adoption of a Cybersecurity Policy
● Designation of a CISO, (Chief Information Security Officer)
● Third-Party Service Providers

There are some additional requirements for the cyber security programs that are supposed to include – among other things – written incident response plans for response to and recovery from cyber security events, and annual risk assessments of the integrity, confidentiality, and availability of information systems.

Incident Response Platforms

Though the proposed requirements appear to be too cumbersome, expensive, and difficult to implement for small financial institutions at first glance, there are affordable solutions on the market that can be adopted to address all the above cyber security rules. There are platforms providing an automated incident response and assist organizations in recovering from cyber security events quickly and efficiently. Incident response platforms are the most cost-effective solution that all regulated entities can adopt in order to adhere with the proposed requirements.

Such platforms are all-in-one solutions allowing for the identification of cyber risks and cyber security events, enabling recovery to normal operations, by performing automated forensics. Other capabilities include – determining the exact number of incidents that have occurred within a certain period of time and what has caused them. Additionally, there are incident response platforms capable of performing predictive analytics, allowing an organization to prioritize its response, resulting in reduced reaction time and significant financial savings.

Another important feature of an incident response platform is the ability to track digital evidence and create automated incident reports. They can be sent to an organization’s cyber security team.

Considering that every new state or federal requirement presents an additional burden for small banks and other financial services providers, these types of platforms are one of the rare solutions that will allow them to comply with those requirements without having to spend substantial amounts of money. These platforms automate the entire cybersecurity incident response and recovery process, effectively streamlining an organization’s cybersecurity plan in the most cost-effective manner.