How banks are coping with New York’s cybersecurity rules
Theodore Tomita has plenty to say about the New York State Department of Financial Services’ new cybersecurity rule, which began to take effect last week, and little of it is complimentary.
“It was a complete and utter waste of time,” said Tomita, a senior vice president and the chief technology officer at Catskill Hudson Bank in Monticello. “I would love to have about 15 minutes with [Gov. Andrew] Cuomo to thank him for the 4,000 phone calls I’ve received from every fly-by-night company that says they can be our information security officer. Many of them have no idea what they’re doing and some are fraud peddlers.”
The first phase of compliance, which ended August 28, required all banks to have a cybersecurity policy in place.
The next phase, which ends in March, requires banks to meet several technical requirements, including implementing multifactor authentication and periodic penetration testing and vulnerability scanning.
“That due date is going to come up very quickly and those requirements take much longer to implement,” said Tomita, who also holds the titles of information security officer and physical security officer at the $426 million-asset Catskill.
While his assessment is unusually blunt, it’s fair to say the New York law has forced affected banks to rethink many areas of their technology and security infrastructure. Some of the requirements — such as vulnerability scanning and penetration testing — are already common practice and recommended by federal security guidelines. In other areas, such as the need to implement multifactor authentication or stronger controls over access to nonpublic information, the New York rules are stricter than federal guidelines and some banks are struggling to comply.
The department's superintendent, Maria Vullo, spoke proudly of the new rules on the first compliance date. “This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” she said in a press release. A spokesman for the agency offered no further comment.
The rules require institutions regulated by the department to use multifactor authentication to protect access to internal networks, “unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
This might sound simple — just require a one-time passcode or biometric in addition to user name and password when employees and customers can log in. But it can be tricky in practice.
The large core banking system providers don’t all offer multifactor authentication, Tomita pointed out.
Beyond the core, applying multifactor authentication to other systems at a bank can be problematic, because “you have a mixed bag of environments out there where people have systems that don’t integrate well into multifactor,” Tomita said.
“Organizations I’ve talked to have no idea what they’re going to do,” he said. “Some people are going to have to complete forklift upgrades in order to make their networks compliant with multifactor authentication. That is a tremendous burden that I don’t think anybody looked at when they put this together.”
Al Pascual, senior vice president and research director at Javelin Strategy & Research, noted that hackers at this year’s Black Hat conference identified multifactor authentication as the most difficult control to circumvent.
Nevertheless, it is an area where banks and all organizations are trying to improve.
“We’re doing studies now where we see there’s still a really significant opportunity for more banks to use multifactor,” he said. One difficulty, he said, is identifying privileged users.
A related challenge is the need to protect nonpublic information, which is driving banks to adopt data-loss prevention technology, Pascual said.
“Knowing where all your customer’s data is and who has it is critical,” he said. “You can’t begin to secure anything if you don’t know where the exposure is. There are solution providers that help companies identify where their data actually is — who has it, what network it’s in. Then you can begin to make more accurate risk assessments.”
Another aspect of the New York rules that’s tough to implement is the third party vendor cybersecurity assessments, Tomita said.
“If you have a vendor doing work for you and they have minimal amounts of data, they probably don’t have a data center so you’re not going to be able to do a true cybersecurity risk assessment,” he explained. “There’s resistance from organizations that are not in the banking industry. The DFS is holding banks to a ridiculous standard that we can’t get our vendors to match.”
A further technical challenge is the requirement that banks notify the DFS within 72 hours of a cybersecurity incident, said Mark Krotoski, a partner at the law firm Morgan Lewis.
“Most states have a requirement of notification when there’s a reasonable period of time to determine what happened,” he said. “Within 72 hours of a cybersecurity event, you don’t know much; sophisticated hackers conceal their tracks.”
Unperturbed in Westchester
At the $600 million-asset Westchester Bank in White Plains, president and CEO John Tolomer sounded relatively sanguine about the new rules.
“The DFS had been giving guidance for a long time, and we invest heavily in cybersecurity,” Tolomer said. “We use different vendors that help us stay abreast of all the current changes and protect our data.” He mentioned two: core provider Fiserv and security company All Covered.
“We continue to run different tests to be sure we do everything in compliance with DFS cybersecurity,” Tolomer said. “But this is part of the natural order of enhancements we ordinarily do, so it hasn’t been significantly expensive or caused any hardship.”
The bank already uses multifactor authentication, conducts annual penetration testing, frequently tests employees to see if they fall for phishing attempts and monitors systems for signs of foul play.
“We’re always concerned about cybersecurity,” Tolomer said. “If the White House and Pentagon can be hacked, anyone can be hacked.”
That's why Tolomer said he approves of what the New York regulators are doing.
“I think in essence they’re trying to make sure that banks are making cybersecurity top of mind, which it is,” he said.
Some of the differences in banks’ attitudes toward the cyber regs might be chalked up to size.
For large banks, the new rules are “status quo. Nothing has changed,” Pascual said.
This is particularly true since the New York regulators made a change to the rules in December that allowed for more flexibility, for instance, shifting to a risk-based approach to security.
“This clarity was needed around things like whether or not compensating controls would be allowed in place of encryption,” Pascual said. Before December, some larger banks were concerned the rules were too prescriptive or didn’t align with best practices.
Large banks already meet some of the basic stipulations of the rule, such as the need to appoint a chief information security officer and conduct risk assessments, Pascual noted.
The rules are driving many smaller banks to outsource more of their information security operations, Pascual said.
“From a practical perspective, given the cost of maintaining a mature security capability, it’s not practical for small banks to do it effectively in house,” Pascual said. “Not only because of increasing costs around technology and staffing, because there’s such a huge skills gap, these smaller banks can’t compete to get really good talent, but now on top of that they’re having to meet a higher regulatory burden. And we know that small banks are being actively targeted for things like ransomware.”
Kim Chatani, an adjunct professor in the MBA program at Concordia University in Irvine, Calif., agreed that the challenge for many community bank is resources.
“Not necessarily only cash, but people,” he said. “For a bank to run a cyber risk management program, you need technically capable people, and many will migrate to larger institutions. Many small firms outsource capabilities of cyber-risk management.”
Tomita suggested that rather than coming up with cybersecurity rules when some already exist, New York regulators could provide banks some assistance.
For instance, the New York agency could follow the example of the PCI Security Standards Council, an industry group that not only issues standards for credit and debit card data, but also offers a free tool to scan networks for card data that must be encrypted. The agency could help bankers review security vendors and products, or specify the criteria they should meet.