Empire Stakes: Inside New York’s Unique Financial Industry Cybersecurity Plan

As the home of the world’s two largest stock exchanges, New York has an obligation to set the bar when it comes to protecting the financial industry from cyber threats. Protecting assets in an increasingly digitized world becomes more difficult as criminals become savvier in exploiting vulnerabilities.

New, first-of-their-kind regulations are designed to protect New York’s titanic interests in the global economy. But certainly Wall Street isn’t the only target on a hacker’s radar. How might these regulations provide guidance to organizations elsewhere?

High-Tech Bank Robberies

More than any other industry, the financial services sector found itself the biggest target of cyber threats in 2016. More than 200 million records were breached — a jaw-dropping tenfold increase over the prior year. Criminals are deciding to target financial services rather than healthcare or retail, preferring to go after the source of the money. Financial service organizations were attacked 65% more frequently than the average organization across all industries.

The majority of these attacks (58%) come from inside the organization. More than half of that group — 53% — is unaware that they have initiated an attack, typically because an employee fell for a phishing scam or downloaded malware.

The City That Never Sleeps on Cybercrime

In early 2017, the State of New York announced unprecedented regulations for financial firms, partly as a response to the high-profile breaches of such nationally renowned companies as Target, Home Depot, and Anthem. Banks and insurers now must meet minimum standards and uphold regulatory reporting in order to better protect consumer data. Gov. Andrew Cuomo stated that the purpose of these “first-in-the-nation protections” was to prevent “serious economic harm caused by…devastating cyber crimes.”

These new rules require a tightening of security regarding third-party vendors, who previously were not required to notify banks of potentially compromising breaches. Every New York state-chartered bank, as well as any foreign bank licensed to operate in the state and any insurer doing business in New York, must perform a risk assessment within 18 months and design a custom cyber security program. They must then certify their compliance each year.

Survey Says…

A recent survey showed a high degree of false confidence within banking institutions when it came to they cybersecurity. More than three-quarters of security executives stated that their strategies were equipped for the future — yet these same banks allowed, on average, two to three breaches every month. Moreover, fewer than half of surveyed businesses have communicated a crisis situation plan to third parties. Such organizations can hardly be prepared for what could be some of the most devastating cyber attacks in history.

Healthcare facilities should also be on high notice. A similar survey noted that one in four U.S. consumers has had his or her healthcare data breached, with out-of-pocket costs averaging $2,500 per compromised user. Typically, these breaches occurred at hospitals, and the stolen data was most frequently used to purchase items, fraudulently bill for care, or fraudulently receive care or prescriptions.

Protection and Prevention

Essential steps to shore up cybersecurity, particularly for financial firms and healthcare facilities, include training employees on recognizing phishing attempts and suspicious emails or websites, tightly controlling access to digital and physical data centers, leveraging machine learning to reduce threats, and developing an actionable, prioritized incident response plan that ensures cooperation between operations teams, risk management managers, and infrastructure and cybersecurity officials. The aforementioned survey on financial institutions revealed that only two out of every five organizations have a clearly defined cybersecurity chain of command.

Furthermore, security issues can be reduced or mitigated with effective risk management tools, including routine vulnerability assessments or penetration testing, even if they aren’t required by the state, as they are in New York. Those who perform the audits and assessments can identify areas of both strength and weakness — but this testing is only useful if companies act on this information.

The Takeaway

Combining cybersecurity risk strategies with overall enterprise risk management strategies as a holistic defense network is becoming increasingly common and wise. Breaking down the barriers of informational silos and creating a cohesive unit that can predict and plan for cybersecurity events is as important as the recovery of key assets. The end result: organizations decrease their exposure, weather crises better, improve the efficiency of their cyber threat responses, and keep community and consumer relations positive.

At Sentek, we help companies identify their digital weaknesses before they can be exploited by bad actors. For more about how we can help shore up your organization’s cybersecurity, get in touch with us today.