February 2018 sees the first set of compliance and reporting deadlines for the New York Department of Financial Services’ (NYDFS) Cybersecurity Requirements, but a Ponemon Institute survey claims that NYDFS-covered companies are far from prepared. It found that 53% of companies believe they won’t achieve compliance by the deadline, and only 13% were certain that they would be compliant by then.
The Cybersecurity Requirements apply to almost all companies that fall under the authority of the NYDFS. This includes (but is not limited to) banks, insurers, credit unions, and mortgage brokers with a branch in New York State, as well as third-party suppliers and service providers of those companies.
Biggest problems in achieving compliance
Respondents to Ponemon Institute’s study reported both a general lack of confidence in their cybersecurity program and problems in complying with specific aspects of the Cybersecurity Requirements. Only 40% of respondents rated their company’s ability to detect cyber attacks as highly effective, and 36% thought the same about their company’s ability to prevent them.
The most difficult parts of the Cybersecurity Requirements to comply with, according to 69% of respondents, are conducting annual penetration tests and implementing continuous monitoring. Other common difficulties include:
- 65%: Limiting user access privileges to information systems, and reviewing those privileges.
- 63%: Creating written procedures, guidelines, and standards designed to ensure the use of secure programming practices for applications developed in-house, and procedures for assessing or testing the security of external “commercial” applications.
- 62%: Encrypting nonpublic information.
- 60%: Implementing multi-factor authentication (unless the chief information security officer (CISO) has approved a compensating control to protect against unauthorized access to nonpublic information).
If, like the majority of respondents to Ponemon Institute’s study, you’re struggling to get to grips with penetration testing, you might be interested in our upcoming webinar: Addressing penetration testing and vulnerabilities, and adding verification measures.
It covers best practices for testing and how to train staff as part of creating a strong information security system that addresses people, processes, and technology. It also discusses the need to provide employees with training and monitoring controls.
The webinar will take place on July 25, 2017, from 1:15 pm (ET)/10:15 am (PT).