New Banking Cybersecurity Regulations Are Coming

December 7, 2016  |  Jake Mosher

Attention New York based financial institutions: there’s a new cybersecurity sheriff in town! Well, not exactly, but the NY State Superintendent of Financial Services does have a new role. As of January 1, 2017, a new regulation proposed by the New York State Department of Financial Services (DFS) will impose rigorous cybersecurity requirements on financial service providers in New York. Organizations affected by these regulations include banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers. These so-called “Covered Entities” will be required to annually prepare and submit to the State Superintendent a Certification of Compliance with the new cybersecurity regulation, starting January 15, 2018.

This regulation was purposely designed so that it could act as a template to simplify implementation of similar regulation in other states, which seems like it may be a likely scenario.

In today’s blog, we’ll outline what the new regulation means for NY-based financial institutions, offer tips for implementation, and show you how AlienVault® can help companies achieve compliance.

What does this mean for NY-based financial institutions?

To comply with the new regulation, in-scope organizations will need to implement a number of security measures and controls, such as:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing the new program and policy, as well as establishing reporting requirements; and
  • Implement a number of additional requirements.

What does this mean from a practical perspective?

If you don’t already have the required security tools and controls in place, your organization will need to implement a number of new security controls, policies, and procedures. You will also need to demonstrate your compliance with the new regulation. How much you need to do will depend on whether you already have good security hygiene. For organizations that have invested in their security infrastructure, meeting the requirements of this new regulation should be no problem. For those organizations that haven’t, however, you’ll have to loosen the purse strings. The time has come to pay the piper and get those security controls in place.

Here are some tips for implementing the key requirements outlined in the regulation:

Section 500.02 covers the establishment of a cybersecurity program.

Key tips to implement:

  • First and foremost, you will need to have a good threat detection tool in place. Malicious actors are pretty good at getting in, so the key is to detect them quickly. Look for tools that utilize multiple security monitoring techniques and capabilities, and can easily integrate with other security tools.
  • Second, you will need a tool that enables you to respond to events quickly. As soon as you’re able to identify a malicious actor in your system, you need to be able to get rid of them before they get what they came for.
  • Third, you will need to implement strong policies and procedures. Consider the old security mantra – “people, process, technology”. Having strong policies and procedures will help ensure that you are prepared to respond when an incident happens.
  • Finally, you will need a tool that enables compliance with major financial regulatory requirements, including FFIEC, Gramm-Leach-Bliley Act (GLBA), and FDIC.

Section 500.03 covers the implementation of a written cybersecurity policy which establishes policies and procedures for the protection of your systems and information.

Key tips to implement:

  • You will need to have the infrastructure and tools in place to deliver on all the areas that the policy requires. Tools that support threat detection, incident response, and compliance are well-suited to support your cybersecurity policy.
  • You should have a subject matter expert in each of the requisite areas who can help to write or review the policy. Of course, the expert may be one person or many persons, but regardless, their in-depth knowledge is critical for this step.
  • The policy will need to be reviewed by your Board of Directors (or its equivalent), and approved by a senior officer of the company, so nobody can say, “but I didn’t know about it”.

Section 500.04 covers the required designation of a Chief Information Security Officer (CISO) who is responsible for overseeing and implementing the cybersecurity program and for delivering on reporting requirements.

Key tips to implement:

  • You will need to have security tools in place that have good reporting capabilities. This is critical to ensure that you have the right information flowing in and through to the reporting process.
  • You should develop best practice measurements against which you can judge the effectiveness of your cybersecurity program. For example, some good measurements include software patch latency, password strength, percentage of applications under security management, and time to security event resolution.

Section 500.05 covers penetration testing and vulnerability assessments.

Key tips to implement:

  • Look for an external penetration testing firm that can administer the test and help you determine where your security holes are. This will help you to close those holes and improve your overall security posture.
  • If you don’t already have one, acquire a vulnerability assessment tool, ideally one that can easily integrate with your existing security management platform or other security tools.

Section 500.06 covers the so-called ‘Audit Trail’, whereby you need to implement and maintain audit trail systems.

Key tips to implement:

  • If you don’t already have one in place, acquire and implement a log management or Security Information and Event Management (SIEM) tool. SIEM tools are important because they monitor all user and system activity to identify suspicious or malicious behavior.
  • Implement security monitoring tools that can monitor and track user activity. SIEM tools often include this capability, but you most definitely want a tool that integrates well with your security management platform.
  • Use a security log management tool or SIEM that enables good record retention and reporting, both compliance and operational.

Section 500.07 covers access privileges to your information systems.

Key tips to implement:

  • Adopt strong access control procedures.
  • Utilize a security monitoring tool that tracks user access and activity.

Section 500.09 covers risk assessment, and the requirement to conduct an annual risk assessment as part of your security policies and procedures.

Key tips to implement:

  • Identify and document the most critical risks facing your information systems and information.
  • Document your existing security controls and procedures.
  • Develop methods to evaluate the effectiveness of your existing controls.
  • Develop a risk mitigation plan.

Section 500.10 covers the hiring and training of qualified security personnel, or the employment of equally qualified 3rd parties.

Key tips to implement:

  • Ensure that your organization is staffed with qualified security personnel.
  • Train your personnel to effectively use all deployed security tools.
  • Consider added third-party threat intelligence services to stay informed about changes within the cyber threat landscape.

What are your next steps?

  • If you are a New York-based financial institution, examine the proposed regulation closely, using this blog and other resources, and start preparing for its implementation come January 1st, 2017.
  • Inventory the existing security tools and capabilities you have in-house today.
  • Perform a gap analysis to identify where you have the largest gaps in terms of security tools, personnel, and policies and procedures.
  • Develop and implement a plan to begin closing these gaps.
  • Get the latest news and information about the 2017 rollout of the new regulation at the website of New York State’s Department of Financial Services.

How AlienVault USM can help you

The AlienVault Unified Security Management™ (USM™) platform helps you meet many of the requirements of the proposed regulation. Here are some essential security capabilities that are directly relevant to financial services institutions and the new cybersecurity regulation:

  • Asset discovery to detect unknown systems on your network.
  • Vulnerability assessment to identify likely targets by attackers.
  • Network and host-based intrusion detection to detect malicious activity on your network.
  • File integrity monitoring (FIM) to detect changes in critical files and suspicious user activity.
  • Log management to conduct forensic analysis of events using digitally signed raw logs for evidence preservation.
  • Security information and event management (SIEM) to correlate security events from across your network.
  • Integrated threat intelligence and response guidance to prioritize the most significant threats targeting your data, applications, and users.
  • Compliance report templates for GLBA, FFIEC, PCI, as well as custom reporting.
  • Continuously updated detection capabilities that allow you to automatically detect emerging threats.

Share this with others


Featured resources



2024 Futures Report

Get price Free trial