Do cybersecurity concerns keep you up at night?
You're not alone. All financial institutions in New York and around the world are now facing a more sophisticated cyber threat landscape. As hackers continue to improve their skills and gain access to more advanced tools, the threat for financial companies is escalating.
In fact, cyber criminals are now focusing their efforts towards smaller institutions that may have weaker protections in place. In recent years, smaller financial companies that lack robust defenses or proper security protocols have been used as a gateway to larger global banking systems.
For example, in February 2016, a group of hackers gained access to Bangladesh’s central bank and made away with $101 million. During the hack, the attackers were able to access SWIFT (the worldwide inter-bank communication network) and make five transfers out of bank's accounts in the Federal Reserve Bank of New York. The case was significant because they targeted a small and less-secure bank, posing as a specific legitimate institution, and then managed to take money from a larger, more-secure bank.
Impact of security breaches on financial services companies
As a financial institution, security breaches have an impact both on your finances and reputation. Customers of financial services companies consider them as the custodians of their personal and financial information. But when security breaches occur and such information is stolen and used for malicious activities such as identity theft, the customers lose their trust in the specific financial institution. This is potentially disastrous because it can result in a massive migration of customers from the hacked financial institution; leading to its downfall.
Colossal attacks on financial institutions also result in extensive financial losses that can incapacitate or completely drown a company.
NYDFS cybersecurity regulations to help financial service companies
In light of the rising number of cyber criminals looking to exploit technological vulnerabilities and gain access to sensitive data within financial service companies, the New York State Department of Financial Services (NYDFS) has established a new cybersecurity regulation to help them reduce their risk of attacks.
With these regulations in place; banks, insurance companies, and any other type of financial services company regulated by the NYDFS will be required to create and maintain a compact cybersecurity program, designed to guarantee the safety of New York State’s financial services as well as customer’s finances and personal information.
Some of the main requirements for your company to be compliant include:
- Have a cybersecurity program and its documentation in place
- Undertake periodic risk assessments on current information systems
- Have a cybersecurity policy and incident response plan in place
- Have dedicated cybersecurity personnel including a Chief Information Security Officer (CISO)
- Have an audit trail to detect and respond to cybersecurity threats
- Limit access privileges to certain information systems
- Undertake continuous training for your cybersecurity personnel
- Conduct third party risk assessments
- Ensure effective controls such as Multi-Factor Authentication are used
- Have policies and procedures to securely dispose of information
Key compliance dates to note:
- February 15th, 2018 - Submit the first certification on or before this date.
- March 1st, 2018 - Be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b).
- September 3rd, 2018 - Be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a), and 500.15.
- March 1st, 2019 - Be in compliance with section 23 NYCRR 500.11.
Key areas that financial services companies should focus on to stay safe from cyber attacks
1. Critical customer data protection
As mentioned earlier, keeping critical customer information safe is imperative for any financial services company. As such, the companies should focus on identifying this information and keeping it completely safe. Potentially vulnerable points for customer information loss include online banking, credit card payments, and transactions among more.
Financial companies should implement key security features and measures such as encryption of data both in storage and transit, the establishment of completely secure firewalls, and the addition of verification mechanisms on customer accounts (especially online accounts) such as two-factor authentication, voice and facial biometrics, among others.
2. Monitor and limit access to non-public information
Sensitive, non-public information should only be accessed by a controlled group of people. Additionally, all the access logs should be reviewed periodically to identify and seal any loopholes.
3. Implement regular training
Your in-house cybersecurity personnel should be trained regularly to ensure that they are up-to-date with emerging risks and ways to thwart them. You should also extend the training to regular employees to make them aware of various loopholes that hackers tend to exploit and train them on how to avoid leaving such loopholes behind.
4. Be pro-active
Have a very pro-active response plan designed to promptly respond and recover from any cyber threats thrown your way. The system should be able to detect cybersecurity threats, respond to them and mitigate their negative effects, as well as enable you to get back to your normal operations and services.
5. Review your cybersecurity procedures regularly
You should also be able to review your cybersecurity policies, procedures, and programs regularly to ensure that they adapt to the ever-changing threat landscape.
These are the key essential requirements that financial services companies need to practice or be compliant with to safeguard their finances and ensure customers safety. For more on the compliance requirements by NYDFS, or to find out whether your company is exempt from this compliance requirements, contact us today.