Will the NYDFS Cyber Security Regulations Be a Nightmare for Wall Street?

On September 13, the New York Department of Financial Services (NYDFS) established a first in the finance industry: a sweeping proposal for minimum cyber security standards across the state’s financial organizations.

For firms that have been lax in their cyber defense posture, the news likely came as an early start to the Halloween fright fest. By 2018, these companies will need to implement or enhance a variety of security measures, including the encryption of sensitive data and appointment of a CISO. Quarterly vulnerability assessments and annual penetration tests will be required, as will written incident response plans, data access limitation controls and employee training programs. And although large banks may already be on the path to compliance with such standards, small and mid-size groups may be fretting over the scope of required changes.

Much more frightening, however, is the lacking state of cyber security that the NYDFS proposal intends to address. Early this year, the SEC named cyber security the most threatening concern to the global financial system. This statement followed a major breach of the SWIFT messaging service, which allowed hackers to steal more than $81 million from the Central Bank of Bangladesh. According to a Biztech report, 37 percent of financial services companies have experienced double-digit increases in security incidents, and 90 percent of firms feel vulnerable to attacks. With more banking services operating online and in the cloud, not only are customer data and large financial accounts at stake, but the health of the whole financial system is potentially at risk.

So will the NYDFS regulations begin to turn the tide and confront the financial cyber security challenge? Some analysts feel that the measures are a step in the right direction, and many expect that other states will follow New York’s lead and implement standards as well. Critics, however, worry that the new legislation will simply create additional paperwork for large banks while doing too little to shore up the risks at smaller companies.

For any financial firm that wants to enhance its cyber security, it’s important to consider that, though compliance offers a strong foundation, it does not guarantee security. You can make your investment in security more effective by working with a partner that will help you assess your specific risks and develop your plans accordingly. Gotham Security specializes in addressing the cyber security needs of financial organizations, and we can help your firm go beyond the compliance check box and develop a program that truly mitigates your risk.

To learn more about our full spectrum of security service, contact us at info@gotham-security.com or 917.734.4120.