How Security-as-a-Service gives you a leg up in developing a comprehensive cybersecurity plan
If you’re one of the thousands of banks, mortgage companies, insurers and other financial service firms that do business in the state of New York, your deadline to complete the final phase of compliance with the New York Department of Financial Services (NYDFS) Cybersecurity Regulation is upon you.
On March 1, 2019, you are required to ensure that third-parties who access your customers’ private data have security protections in place. This measure comes on the heels of three previous sets of requirements, rolled out in phases beginning in March of 2017, designed to address today’s increasingly sophisticated cybersecurity threats.
Taken together, the rules require you to assess your cybersecurity risks and implement a comprehensive plan to mitigate them. The ultimate goal is to protect sensitive customer data and promote the integrity of IT systems for regulated financial institutions.
While these rules have been promulgated by New York State regulators, the state’s status as national and international financial center means that their impact is wide-ranging, crossing state and international borders to any firm with offices or branches in the state.
With the complexity of the new regulations, your firm will need considerable cybersecurity expertise along with the right technology to ensure compliance. Many smaller and medium sized financial services firms, with smaller IT teams that lack time or bandwidth, may be challenged to meet NYDFS requirements. In such cases Security-as-a-Service can help you address the regulatory demands that have rolled out over each of the four implementation phases.
While the offerings from each a Security-as-a-Service provider may differ somewhat, look for a company that provides a dedicated cybersecurity advisor to clients who will manage a team of experts available 24x7x365 in a security operations center (SOC). Together, these experts provide you with field-tested industry best practices as well as technology for threat hunting, vulnerability assessments, and patch management. These experts help your firm assess your risks and vulnerabilities, develop programs, policies and procedures to meet NYDFS demands, monitor your information systems for cybersecurity incidents, and guide your remediation efforts.
Here’s how a Security-as-a-Service provider can support NYDFS compliance every step of the way:
Phase 1, which went into effect August 28, 2017 requires financial services firms to:
- Establish a formal cybersecurity program based on a risk assessment and implement capabilities for detecting, responding to and recovering from cybersecurity events.
With cybersecurity expertise scarce and at a premium, security-as-a-service solutions provide on-demand access to cybersecurity professionals that can supplement your existing IT team as you establish your cybersecurity program. With deep experience from engagements with many of your peers, these experts help pinpoint your risks and vulnerabilities; as just one example, assessing your security firewalls and other security protections for vulnerabilities and flaws. They can perform patch management to address vulnerabilities, deploy ongoing security monitoring using a security information and event management (SIEM) to identify potential security events, and provide remediation plans and guidance.
- Enact comprehensive cybersecurity policies.
As your security-as-a-service team gets to know your systems, it can deploy its expertise to support your team as you develop information security policies for everything from access controls to incident response.
- Appoint a chief security officer responsible for cybersecurity and reporting; hire cybersecurity personnel
Finding and retaining IT staff with cybersecurity skills is becoming increasingly challenging. Simply put, demand is outstripping supply. Indeed, a November 2017 ISSA / ESG Research Report (“The Life of Cybersecurity Professionals) states 49% are solicited to consider other cybersecurity jobs at least once per week. Security as a Service offers access to security experts from the service that can act as an extension of your security team.
- Develop a written incident response plan
Deep understanding of incident response best practices enables SOC experts to work hand-in-hand with your team to develop a plan for addressing the types of attacks your firm is most likely to experience. Vulnerability assessment technology supports the incidence response plans by helping identify weaknesses, as well as the necessary remediation and controls, to mitigate the risk. Patch Management services apply threat intelligence and business impact analysis to prioritize and simplify the patching process to fix vulnerabilities.
- Notify the NYDFS about all cybersecurity events that are reasonably likely to cause harm
Security-as-a-service experts promptly notify you of any cybersecurity events and provide all the forensic information you need for reporting.
Phase 2, which went into effect on March 1, 2018 required firms to:
- Establish periodic penetration testing and vulnerability assessments and periodically assess risks to information systems
Security-as-a-Service solutions that provide vulnerability management technology can help satisfy requirements for periodic vulnerability assessments and are always at-the-ready to assess risks. The cybersecurity advisor regularly discusses the results of these assessments with your team to inform and continuously update your cybersecurity program to align with your evolving business needs and to keep up with evolving threats.
- Use multi-factor authentication or risk-based authentication
Two-factor authentication is a cybersecurity best practice and if you need assistance, your cybersecurity advisor can help you implement it across your systems.
- Provide regular cybersecurity awareness training
Your cybersecurity advisor can train your IT department on security best practices and recommend the types of training to provide to end users.
- Have their CISO report on the cybersecurity program and any risks annually
When it comes time to produce your CISO report, security-as-a-service solutions can help to give you all the information you need. A good SOC should be aligned to your business needs to produce reports and executive scorecards that communicate the success of your ongoing cybersecurity programs, the integrity of your information systems, your information system attack surface, and patch management efforts. Cybersecurity advisors standby to explain these reports and scorecards in terms your technical managers, non-technical managers and executives can all understand.
Phase 3, went into effect on September 3, 2018
- Maintain records and audit trails
SIEM tools store logs to create an audit trail and enable security monitoring of multiple systems. If your firm is audited, this SIEM data is used to demonstrate that you’ve protected your IT systems properly.
- Establish and follow guidelines for application security
A SOC can help you screen software applications to ensure that you don’t install any that are problematic from a security perspective.
- Limit data retention and establish proper procedures for safe data disposal
Security experts from the service can work with your organization to identify your storage requirements and provide assistance with meeting NYDFS guidelines.
- Monitor and detect unauthorized access to sensitive data
A SOC is designed to capture log information from your various systems, including access logs, allowing you to monitor the security profile of multiple systems. But many times, systems produce alerts that turn out to be false-positives. Until proper forensic analysis is conducted, it can be hard to determine what is a false-positive and what is a noteworthy alert. When this happens, your cybersecurity advisors conduct an incident analysis for you and then works with your security team to fine tune alerts from the monitoring software to better detect unauthorized access.
- Encrypt non-public data in motion and at rest
You have many encryption options (in fact, here’s a link to a blog dedicated to Encryption technology and requirements for Financial institutions). At a minimum, the service should encrypt communication to and from the SOC portal, as well as data at rest.
Phase 4 went into effect on March 1, 2019
- Create and apply security policies to third-party providers accessing your data
Your firm needs to prove that third-party service providers you work with have good security controls in place. A completed SOC II audit of that provider gives you peace of mind in knowing that that partner takes the necessary care with your sensitive data. A cybersecurity advisor can guide you on how to determine your business partners’ SOC II audit status.
Though Phase 4 must be implemented this year, keep in mind banks and financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020.
How Cygilant can help
Cygilant’s Security-as-a-Service offering helps you address NYDFS compliance requirements. We offer a dedicated cybersecurity advisor assigned to your organization, as well as cyber security experts 24x7x365 who provide you cybersecurity best practices and best of breed technologies to help assess your risks as well as to develop, implement, maintain, and audit your comprehensive security safeguards.
Our technology is unique in providing completely integrated security monitoring, vulnerability management and patch management. Because all this cybersecurity data is accessible in one place, it’s easier to correlate events so you can better understand what’s going on in your network, where problems exist, why a problem occurred, and alert you to the issue. Our integrated technology makes it quick and easy for our security experts to forward useful and actionable information to you about security issues that need to be addressed. These vetted alerts save you time and effort by eliminating insignificant data alarms. Integration with patch management makes it easy to go in and fix any problems.
Our security experts aim to complement your security team. They are your cybersecurity experts – helping to create security policies, deploy solutions, and train IT and end users to adopt better security habits. Our team clearly explains issues to technical and non-technical constituents alike.
For today’s financial services firms, good cybersecurity is central to good customer service. It builds trust with customers in a way that drives loyalty and retention. Some forward-thinking financial institutions have started to redefine data security and information privacy as a corporate social responsibility. Cygilant’s Security-as-a-service solution ensures you have optimal security to meet your most demanding security and regulatory requirements and to protect your customers and their information.
Learn more about how Cygilant can help you comply with NYDFS cybersecurity regulations.