New Cybersecurity Rules for New York Financial Firms

Next week (March 1), new regulations from the New York State Department of Financial Services (DFS) will take effect, giving financial services firms licensed to operate in New York 180 days to improve their security based on new requirements.

The regulations cover a slew of issues ranging from the maintenance of written policies, testing, governance and auditing, to detection, defense and incident response measures. It also mandates that all financial services firms have a dedicated CISO. It’s no longer acceptable to have those roles and responsibilities fall under another position.

Given the increasing difficulty in hiring security professionals, this is not a small requirement. The CISO role, practically unheard of a decade ago, has taken on growing importance in the last couple of years as the scale and scope of breaches have escalated. It’s also why we’re seeing more regulations, legislation, policies, and standards with an emphasis on cybersecurity.

From NIST to the Federal IT Modernization Report, and the Data Security and Breach Notification Act, vulnerability disclosure is quickly becoming an adhered-to standard for most organizations. And while the New York State DFS regulations are arguably less stringent than some of the others listed, they are a good start and it stands to reason that there will be more to come.

To ensure success, financial services firms should be planning at least one step ahead, implementing vulnerability disclosure programs (VDP) and bug bounties along the same guidelines as legislation being passed in the U.S. Congress. The New York State DFS regulations mandate annual penetration tests and bi-annual vulnerability assessments. While this is good, continuous assessments are the best prescription. Protecting personal assets and consumers information on a constant basis should be a top priority.

Vulnerability assessment is a best practice, but it’s not one size fits all. Bugcrowd was built to support ad hoc *and* continuous assessment, and provides auditor-friendly output — all necessary for compliance. This ensures organizations of any size or stage of security maturity not only benefit from the power of crowdsourced assessment but also meet the new regulations and security standards. Further, Bugcrowd provides a fully managed service that takes the burden of accepting, validating and paying for external vulnerability submissions, freeing up internal teams to focus on the critical earlier stages of product design and development.

New York is leading the way with this legislation. Financial services firms across the country will undoubtedly follow suit, regardless of legislation. And with the number of other policies and standards in place, it’s only a matter of time before every organization implements VDP or bug bounty. Having a good partner will make it possible for more organizations to do this sooner, and more effectively.

For more information on how Bugcrowd supports vulnerability assessments and/or to speak with a bug bounty expert, feel free to reach out via this form.