The enactment of New York Department of Financial Services' cybersecurity regulation on March 1, 2017, garnered significant media attention, and it's not hard to see why. The rule is the first of its kind in the U.S. and it sets precedent for financial regulators in other states.
History and precedence aside, the most pressing question is, will the regulation have the desired effect of improving cybersecurity in the financial sector? As some of the more heavily targeted organizations, it's worth assessing how banks, credit unions and other financial institutions could be impacted on a larger scale.
A refresher on NYDFS's rule
The standout characteristic of New York's new rule is its flexibility. Chief risk officers and other stakeholders at financial institutions voiced concern regarding the rigidity of the earliest proposals. The fact is, no two financial institutions' security environments are identical.
So, rather than creating a set of specific security requirements, NYDFS determined that nonexempt institutions in New York state must develop a formal cybersecurity strategy based on required, periodic risk assessments. This is a departure from the norm in that the provisions aren't sweeping requirements. Financial institutions are essentially being told that they must take a risk-based approach to cybersecurity.
Viewed from that lens, the nature of what the regulation in its final form aims to achieve becomes clearer: tailored cybersecurity strategies based on risk.
A step in the right direction
Financial institutions have experienced more than their fair share of adversity during the past few years. In 2016, hackers stole $81 million from a global financial messaging system in one fell swoop. Incredibly, the perpetrators made off will less than a tenth of their targeted sum. The only thing that kept them from stealing nearly $1 billion was a typo in the name of a made-up institution used for transferring funds.
This is just one of several notable attacks that have left a deep impression on leaders of financial institutions. More importantly, it says nothing of Dridex, ransomware, mobile banking fraud and the countless other attacks that banks, credit unions and insurers constantly cope with. As all of this is going on, financial institutions are being told how this solution or that MSSP will give them the security they need to keep cyberthreats at bay. Not to mention, examiners are breathing down their necks.
"The rule forces financial institutions to be more introspective about cybersecurity."
Then, in March, out of these chaotic circumstances, a rule emerges that forces financial institutions to become more introspective about cybersecurity (FFIEC guidelines had done this to an extent, but even those were not required). Essentially, NYDFS – in response to feedback received during comment periods – didn't try to tell organizations what they needed, but rather, gave them a framework that would force them to ask that question of themselves.
Fascinatingly, this mirrors a trend that is currently taking place among MSSPs, as they adopt a new approach to cybersecurity services known as managed detection and response (MDR).
How MDR tailors cybersecurity for financial institutions
MDR, like NYDFS's new regulation, differs from traditional cybersecurity wisdom in that it doesn't sell one particular solution or product. Instead, MDR behaves more like an in-house security operation center. It analyzes and maps the network, identifies inherent shortcomings in security posture and then prescribes controls to address those potential vulnerabilities. This may ring a few bells for leaders at financial institutions. Risk management follows a similar lifecycle, so what MDR really does is bring that risk-based approach to cybersecurity management.
From managing compliance to creating better safeguards against phishing attacks, the purpose of MDR is to map out an organization's security requirements based on risk and make sure that they are met – not entirely unlike New York's new cybersecurity regulation. In fact, it would even be fair to say that the two go hand in hand. Both gravitate away from the granular, checklist approach to risk mitigation. More importantly, both exhibit potential to significantly improve overall security posture.