Connect with us

Hi, what are you looking for?


Risk Management

New Financial Regulation Forces Cyber Security into the Board Room

The New York State Department of Financial Services (DFS) ‘first-in-the-nation’ cybersecurity regulation for the financial services industry is, as of 1 March 2017, operational . One of the most highly regulated industries is now even more regulated in New York.

The New York State Department of Financial Services (DFS) ‘first-in-the-nation’ cybersecurity regulation for the financial services industry is, as of 1 March 2017, operational . One of the most highly regulated industries is now even more regulated in New York.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

The purpose of the regulation (PDF) is to provide ‘certain regulatory minimum standards’ while at the same time “not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” This is a difficult line it seeks to follow by allowing the regulated entities to define the requirements according to their own risk assessments.

In regulatory terms, there is a potential weakness in that no controlling risk framework is defined on which to base those risk assessments — leaving individual entities some scope to define the baseline for their own conformance. The NIST Cybersecurity Framework would be an obvious candidate — but NIST is large and complex. “The NIST framework is extremely comprehensive, and for medium or small organizations, the burden of implementation wouldn’t be feasible,” comments Tim Erlin, senior director of IT security and risk strategist for Tripwire.

This leaves ambiguities in conformance. An example can be found in section 500.05 (Penetration Testing and Vulnerability Assessments). It states, “The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program.” In short, the regulated organizations can choose between “effective continuous monitoring”, and annual penetration testing with “bi-annual vulnerability assessments”.

It could be argued that cyber security requires all of those. The most effective at finding vulnerabilities is perhaps the most expensive: penetration testing; but this provides only a slice-in-time. Annual pentesting would leave perhaps eleven months in which vulnerabilities could go untested — and hence the bi-annual vulnerability scanning or continuous monitoring. What isn’t defined, however, is what should happen with the results of the testing.

Consider the views of professional pentesters. A recent survey found that only 10% of pentesters “saw full remediation of all identified vulnerabilities.” Almost a third of the pentesters felt they were employed for compliance purposes only. This is a danger for all regulations, and especially those that attempt to be ‘not overly prescriptive’: the more leeway offered to the regulated entities, the more likely it is that cyber security becomes conformance box-checking rather than security fulfilment.

The authors of the new regulation are not unaware of this problem, and have sought to limit it by requiring the regulated entities to provide an annual ‘certificate of compliance’ to the superintendent of financial services. This includes, “To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes.”

Advertisement. Scroll to continue reading.

The certificate requires that the board or senior officers have “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary.” Furthermore, the statement must be “Signed by the Chairperson of the Board of Directors or Senior Officer(s).”

In short, the new regulation provides the regulated industries with a degree of compliance wiggle room by not being overly prescriptive, but then insists that responsibility for any wiggle is taken at the highest level. Any regulated industry that decides to wiggle will need to justify that wiggle; and since this is signed by the chairman of the board, there is no hiding place for any officer. This is perhaps the real innovation in this regulation, and one that might well be copied by other regulatory bodies in the future. This simple requirement could have a greater effect on moving cyber security into the boardroom than any other form of non-intrusive evolution.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...