More regulations are starting to appear in the security landscape as the New York State Department of Financial Services’ (DFS) cybersecurity regulation for the financial services industry started March 1.
While this applies to the financial services industries, all industries are watching to view the regulatory climate is faring for areas like critical infrastructure.
For now, that means financial services — one of the most highly regulated industries — has more regulations.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” said New York Governor Andrew Cuomo. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
The purpose of the regulation is to provide “certain regulatory minimum standards” while at the same time “not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”
This is a difficult line as it seeks to follow by allowing the regulated entities to define the requirements according to their own risk assessments.
In regulatory terms, there is a potential weakness in that no controlling risk framework ends up defined on which to base those risk assessments — leaving individual entities some scope to define the baseline for their own conformance. The NIST Cybersecurity Framework would be an obvious candidate — but NIST is large and complex.
This leaves ambiguities in conformance. An example is in section 500.05 (Penetration Testing and Vulnerability Assessments). It states, “The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program.” In short, the regulated organizations can choose between “effective continuous monitoring”, and annual penetration testing with “bi-annual vulnerability assessments.”