New York’s cybersecurity rules may have broad reaching impacts

New York’s new cybersecurity rule kicked in at the end of August, but businesses and banks are still attempting to get up to compliance standards before the final reporting deadline. The rule’s main focus is improving the cybersecurity of online transactions and credit information within the state of New York, but it can have broader reaching implications.

The law stipulates that any financial transactions that take place in New York are covered under the new regulations. That means even if a business isn’t located in the state, if a branch of its financial institution is it will need to pay attention to the new security measures being rolled out.

Asking for too much?

Reception to the rule has been mixed, polarized largely by the size of the affected businesses. For many of the larger firms, it’s business as usual. But for smaller banks and companies, coming up with the resources to meet deadlines has a few scrambling for help from vendors or pushing IT staff through overtime.

By August 28, all companies had to have some cybersecurity policy in place and in the handbooks. The rest of the regulations will be implemented in phases. By February 18, 2018, banks are required to submit the first certificate. Then, March 1, all of the penetration testing, multi-factor authentication (2FA) and training requirements take effect. By the following year, every financial institution needs to be in full compliance.

The New York rules are stricter than the federal guidelines, so even if banks were already going above and beyond when it came to cybersecurity, some are finding they need to do a bit more.

But many of these requirements are nothing new. IT pros have been pushing for these practices to be standardized for a while now – like vulnerability scanning and penetration testing. Other requirements are 2FA, essentially requiring an extra step in verifying that users logging in are who they’re claiming to be.

Attempts to slow down

This is where many of the speedbumps are coming from. Some of the more antiquated systems aren’t able to implement 2FA, and many tech departments are left unsure of how to proceed. In many instances, the whole system needs to be upgraded, which some are calling a financial burden.

But as a counterpoint, hackers at this year’s Black Hat conference in Las Vegas came out to say 2FA is one of the hardest security controls to bypass. There is one vulnerability, but to fully take advantage of it the hacker needs to pull off James Bond-level spy-work and have a tremendous amount of luck.

New York has also made it a requirement that third-party vendors are tested routinely and graded by banks before being used. This creates a disproportional standard, since vendors aren’t held to the same requirements that banks are. So many banks are arguing they can’t perform the audit required by the new rule.

Nevertheless, the goal of New York’s rule is to protect user data and know that data is being stored securely. We’ve seen several times now in the past year alone that third-party contractors aren’t the most secure when it comes to data management, and are often the open backdoor hackers are looking for.

Supporters of the rule point out that these requirements should already be front and center. Many banks already ran training simulations to make sure their users weren’t falling for phishing scams and were performing routine tests of their security systems. If a company hasn’t taken any security measures, will the cost to upgrade be expensive? Most likely. But what the price covers is peace of mind when it comes to securing sensitive user data and avoiding more costly incidents in the future.