It’s been more than a year since New York state’s first-of-its-kind cybersecurity regulations for the financial industry were announced. Banks, insurance companies, and other financial institutions that operate in New York – even if they are headquartered elsewhere – are expected to comply with the regulations in a phased rollout that ends March 1, 2019, but includes several milestones along the way.
The motivation behind the regulations is simple: Financial services are a huge target for hackers. An IBM report found that financial services companies experienced 65 percent more attacks in 2016 than the average business across all other industries. In addition, the number of attacks on finance businesses grew by 29 percent year-over-year.
Finance companies collect a range of sensitive personal data from consumers, including credit card numbers, Social Security numbers, email addresses, and home addresses. This consumer data is often more valuable to hackers than any actual money they could steal from personal bank accounts. A 2014 breach at JP Morgan Chase resulted in the theft of data records for 83 million customers; the hackers made out with $100 million through the sale of those records.
Besides being the first state regulations to establish formal requirements around cybersecurity, the new rules are especially significant to mainframe professionals due to the critical role of the mainframe in financial services IT. An estimated 92 of the world’s top 100 banks rely on mainframe computing to manage consumer financial information.
In other words, if you manage mainframes at a financial institution that operates in New York and haven’t already heard about these regulations, you will soon enough. Here’s a primer to bring you up to speed.
The Basic Requirements
The regulations essentially require formalized and documented security programs and policies for all financial services businesses that operate in New York state. The cybersecurity program must perform certain key functions, including:
- The identification and assessment of internal and external risks that may threaten the security or integrity of sensitive customer data stored on organizations’ IT systems
- The implementation of policies, procedures, and “defensive infrastructure” to protect that data
- The detection of “cybersecurity events,” which are defined as any successful or unsuccessful acts or attempts to disrupt, misuse, or gain unauthorized access to sensitive data
- A response plan for identified or detected cybersecurity events
- A recovery plan for those events, to restore normal operations and services
- Reporting obligations, including the creation of an audit trail
Companies must create and document a policy for the secure disposal of data that’s no longer needed by the business, in order to limit the risk that old data falls into the wrong hands. Other requirements are also specific to staffing: institutions must hire a chief information security officer (CISO) and conduct security awareness training for employees. The regulations also establish a 72-hour window during which the New York State Department of Financial Services (DFS) must be notified of a data breach.
DFS has not specified any monetary consequences for noncompliance, but the agency does have the authority to issue fines, and costs would vary on a case-by-case basis, department head Maria Vullo told Business Insider.
The Impact on Mainframe Professionals
The regulation also makes several specific technology mandates, including the use of multi-factor authentication to protect critical IT systems. Data encryption is also required both in-transit and at rest, except in cases where the company’s CISO implements “alternative compensating controls” that are more feasible. While the regulations don’t specify the level of required encryption, it does require the company’s CISO to review these controls annually to make sure they’re still sufficient.
Additionally, IT teams will be required to conduct risk assessments of their environment and perform annual penetration testing on their systems. Bi-annual vulnerability assessments are also required to ensure that companies are systematically reviewing publicly known cybersecurity vulnerabilities that threaten their systems.
All of these technical requirements would apply to mainframe systems, and the deadline to meet the encryption requirement is coming up: September 1, 2018. It’s a good time to re-evaluate your mainframe encryption strategy to ensure you’re in good shape.