Cybersecurity regulations in force for financial sector in New York; CISOs play vital role

Reading time: 5 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Some $86.4 billion has been spent globally on information security so far in 2017 alone, a 7 percent increase from 2016, according to Gartner. The forecast for 2018 is that the spending will reach $93 billion, making the Chief Information Security Officer a fundamental role in any organization.

The growing threat of cyberattacks in 2017 has compelled decision makers to address cybersecurity as a serious risk-oversight issue with severe potential consequences to reputation and finances, according to a Bitdefender survey of 1,051 respondents from the US, UK, Germany, France, Italy, Sweden and Denmark. 58 percent of respondents have an incident response or disaster recovery plan in case of a major security breach, while 37 percent said a plan was a work in progress.

Malware attacks and data beaches are increasing, making it clear that technology can’t fight it by itself, but needs help from CISOs and regulators. Regulatory bodies have issued strict regulations, such as the General Data Protection Regulation (GDPR) for the European space, with over-the-top fines for any entity found not compliant.

"Improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, doing the basics right has never been more important,” said Sid Deshpande, principal research analyst at Gartner. “Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening."

Cybersecurity regulations have also been enforced in the state of New York as of March 1. Earlier this year, New York Governor Cuomo announced cybersecurity requirements for financial institutions.

The regulations require banks and all other financial institutions under the Department of Financial Services to designate a CISO who must develop a cybersecurity policy and program with proper funding and staff. The CISO is to deliver a regular report to the governing body.

"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks," said Governor Cuomo. "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."

The financial industry is one of the most targeted sectors. By exploiting technical vulnerabilities, hackers could not only affect the financial system itself, but they could also access consumer information and use it for fraud and theft.

Some 94 percent of IT executives in charge of computer and data center security strongly feel their organization could be the next target of an APT, most likely launched by a competitor (61%), an opportunistic hacker (58%), a foreign state (48%), national government agencies (41%) or inside attackers (32%), Bitdefender found.

High-value assets that could be compromised following a cyberattack include information about clients (51%) and employees (33%), financial data (44%), and research about new products (37%) and product specifications (30%).

Financial (72%) and reputational (64%) costs were named the top worst consequences of an attacker gaining access to the most valuable data a company holds or inside its infrastructure. Others have mentioned bankruptcy (42%) and interstate armed or cyber conflicts (23%), while 21% mentioned loss of life.

As we see an increase in automated environments, the latter concern is legitimate, should an APT attack critical infrastructures. If nuclear power plants, national energy grids, urban water supplies, transportation management systems, traffic controller systems, hospitals or other healthcare facilities all of a sudden stopped working or were manipulated to go rogue, it may lead to human casualties.