In the effort to shore up cyber defenses among financial companies, regulations are looming in New York state.
Beginning this spring, and in staggered increments from March, when the regulations went into effect, the New York State Department of Financial Services (NYDFS) has mandated new practices and protocols for firms within insurance, banking and financial services.
Among the new rules: Firms must employ and deploy a senior chief information security officer, or the corporate board, to approve written policies for cybersecurity. Certification must be made annually about compliance. And if the aim is to protect customer data, that goal covers not just individual consumers but corporates as well.
As New York goes, so does the financial services industry in a sense.
Consider the fact that all those verticals have a strong showing in the state, as New York City reigns among the financial capitals of the world. Though firms had been staring the NYDFS regulations in the face, many financial companies are still underprepared to meet the staffing and monitoring challenges that come with the new regulation, per Richard Hudson, vice president of cybersecurity at Cordium.
In an interview with PYMNTS, Hudson said, anecdotally, that in his discussions with financial services firms falling under the umbrella of the new New York regulations, most are not ready to meet the new requirements.
“Smaller firms today are lacking” in terms of staff in place needed to address concerns in risk and security. Some of those firms, he stated, may even be unaware of what the New York initiative requires. At particular risk might be the firms that are based overseas and yet have a New York City presence as well, with, perhaps, limited knowledge that statewide policies require the aforementioned staffing efforts and input from senior management, along with the first implementation deadline of Aug. 28.
If cybersecurity-focused staff is lacking and internal policies are incomplete, one culprit at the financial services firms might “IT politics,” which Hudson defined as hesitation (and even disagreements) between investment officers and the security officers within a firm.
One example lies in cyber insurance, where there can be debate over how much to buy and what events are covered and, in other cases, of the timing and cost that is palatable in upgrading systems. Existing security processes and hierarchy “can become a roadblock” to better protection.
Said Hudson, smaller firms with smaller staffs and perhaps just a single dedicated cyber risk professional, or with one or two parties with significant oversight of payments processes, can be at greater risk for fraud.
“There is both the technical and the human aspect of payments fraud,” he said. “At a minimum, you need [cyber]insurance,” along with monitoring of third party vendors. In the absence of all this, said the executive, financial services firms may be slow to identify and address the fallout from breaches and attempted breaches — putting risk, especially for payments fraud, down the chain through to the enterprises that do business with those financial services companies that do business with each other.
Think of it, said Hudson, as a scenario where the chain of communication breaks down. If the financial firms are unable to assess their own vulnerabilities and the enterprises are similarly in the dark, then reporting to regulators about breaches and attempted breaches (also mandated) cannot be done on a timely basis.
That’s a problem against a rising backdrop of payments fraud, where, for example, business emails are compromised and where, as the Association for Financial Professionals estimated, 63 percent of attacks came from “outside” of firms.