What New York is doing to strengthen its cybersecurity stance

Last month, Director of National Intelligence Daniel R. Coats said that cyber threats have become a top priority in the US, as malicious actors become more aggressive, manipulative, and unpredictable.

New York is the fourth most populous state in the US and is home to the country’s most populous city: New York City (NYC). NYC boasts one of the world’s largest financial services centers, making it a prime target for cyber crime. Technological advances being embraced by the sector, such as the Internet of Things (IoT), bring additional vulnerability and risk.

The financial services sector experienced a high volume of cybercrime

In 2016, the financial services sector was a top cyber crime target, according to IBM. Between 2015 and 2016, there was an astounding 937% increase in financial records breached, with more than 200 million records impacted.

Matthew Waxman, a professor at Columbia Law School and co-chair of the Center for Cybersecurity at Columbia Data Science Institute, notes that financial services are particularly vulnerable.

“It’s sometimes very difficult to get the government to take action against certain threats until a catastrophe takes place,” Waxman said. “But that could change very suddenly if the banking system were knocked offline or another very major disruption to everyday life affected the lives and security of citizens on a massive scale.”

Incidents such as the Equifax data breach, which impacted at least 147.9 million consumers worldwide, is a prime example of the increasing volume and severity of threats. Rather than sitting tight and waiting for the next one, New York has taken a more proactive approach. In March 2017, the New York’s Cybersecurity Regulation (23 NYCRR Part 500) came into effect.

Is New York State doing enough to protect its information?

The New York State Department of Financial Services (NYDFS) is responsible for regulating financial services and products in the state and, by extension, New York City. Financial services are very much a part of critical infrastructure and any disruption could have a major impact. 23 NYCRR Part 500 seeks to protect covered financial services organizations by enforcing minimum cybersecurity standards. No other US state or local government has issued such a sweeping regulation.

However, 23 NYCRR Part 500 is not without its weaknesses. For example, there are no clear penalties for non-compliance. Unlike the upcoming EU General Data Protection Regulation (GDPR), which imposes fines of up to €20 million ($24,600,000) or 4% of a company’s annual global turnover, there is no set amount for data breach-related fines in New York State. Levies under 23 NYCRR Part 500 vary from case-to-case.

This has prompted some cybersecurity proponents to suggest that companies won’t feel compelled to follow the rules. Cybersecurity expert and GRA Quantum president Thomas Boyden told Business Insider, “If companies don’t feel like there’s going to be any consequence for any action on their part, companies aren’t going to take [the regulations] seriously.”

23 NYCRR Part 500 aims to inform, not necessarily to punish. NYDFS superintendent Maria Vullo asserts that the department is not cultivating a punitive atmosphere. “[I]t’s not the objective,” Vullo said. “If anything, the objective is to make it clear that cyber threats are real and that New Yorkers and the companies that maintain their personal information are facing higher risks of attack.”

Cybersecurity experts say that the regulation can serve as a model for policies and regulations for other industries, even at a federal level. According to the National Conference of State Legislatures, in 2017, more than 240 bills or resolutions were introduced in 42 states to address cybersecurity. Since 23 NYCRR Part 500 came into effect, Colorado and Vermont have created cybersecurity laws of their own.

Your organization can’t afford to wait – protect it from cyber attacks

By enacting 23 NYCRR Part 500, New York has demonstrated that it is not going to wait for a cyber attack to happen. Neither should your organization.

The Federal Information Security Management Act (FISMA) is a federal law that was enacted as Title III of the E-Government Act of 2002. It mandates that federal agencies implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including external agencies and contractors.

The regulation requires compliance, and recommends that organizations adhere to NIST’s Cybersecurity Framework, which is designed to address the cybersecurity needs of critical infrastructure organizations, such as financial services. It is a voluntary framework, providing guidance for organizations to help manage their cybersecurity risks.

This guidance is based on existing best-practice standards and guidelines, and provides a way of making other frameworks and control sets align with each organization’s unique cybersecurity needs. NIST’s framework is applicable to any organization in any part of the world. It is designed to protect organizations from cyber attacks. It helps organizations involved in infrastructure to systematically organize their cybersecurity activities and ensure they remain up-to-date.

The framework is also strongly focused on making sure that any cybersecurity measures taken are appropriate for the level of risk involved – in other words, ensuring that implemented measures are cost-effective.

This framework references ISO 27001, the international standard that describes best practice for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive or confidential data to ensure it remains secure. An organization that achieves ISO 27001 certification sends a message to clients, peers, and industries that it is taking effective measures to protect its data.

To guide you through an ISO 27001 ISMS implementation, IT Governance has developed a four-day training course combining its ISO27001 Foundation (CIS F) and Lead Implementer (CIS LI) classroom courses. You will gain an understanding of the activities needed to plan, implement, and maintain an ISO 27001-compliant ISMS.

Book a place on our ISO27001 Foundation and Lead Implementer Combination Course for a 15% saving on the cost of the two separate courses.