Top executives at some of the world’s biggest banks and insurers will have to vouch for their companies’ resilience to cyber attacks, under tough rules laid down by New York’s state regulator.
A new regulation, which takes effect on March 1, requires companies supervised by New York’s Department of Financial Services to establish and maintain a cyber security programme that can protect consumers’ private data and “ensure the safety and soundness” of the state’s financial services industry.
Executives will be made to submit an annual certification that the company is complying with the various requirements, and agree to notify the DFS of any serious breaches within 72 hours of their discovery.
“This has gone further than any other regulation I’ve seen, and is the most prescriptive,” said Joe Nocera, Chicago-based leader of PwC’s cyber security practice.
The new regime comes as financial institutions are under near-constant bombardment from criminals, “hacktivists” and disaffected insiders, all trying to breach their defences. Attempts range from “watering hole” attacks, where employees gather at spoofed websites that implant malware, to more complex schemes led by state-linked groups.
North Korea, for example, was thought to be behind last year’s $101m heist at the Bank of Bangladesh, carried out via an account at the Federal Reserve Bank of New York. The sum could have been much higher, were it not for a typo in the routing instructions.
More attacks from Pyongyang’s army of hackers could be in the offing this year, say experts, as China’s ban on coal imports exacerbates a shortage of foreign exchange in the country.
You jiggle enough door handles, you find one that opens
Banks will need to stay on high alert to threats from other nation-state actors such as China, Russia and Iran, said security experts.
“You jiggle enough door handles, you find one that opens,” said one.
The DFS’s regulation affects financial institutions that operate through a New York state charter — a list that includes Goldman Sachs, BNP Paribas, Deutsche Bank, AIG and MetLife.
Analysts say the protocols are mostly in line with those adopted by the Federal Financial Institutions Examination Council, an inter-agency body that sets uniform standards for examinations by regulators including the Federal Reserve and the Office of the Comptroller of the Currency.
But the requirement for an executive to testify that the company’s systems are up to scratch, could expose that individual to liability if the company’s cyber security programme is later found to be non-compliant.
The regulation also says that companies should flag incidents to the DFS which “have a reasonable likelihood of materially harming” the company.
That could be a “tall order,” said Aleksandr Yampolskiy, chief executive of SecurityScorecard, a risk benchmarking company. “Banks have all kinds of systems gathering data. Sometimes there’s so much of it they don’t know what they have.”
For now, no other US state “comes anywhere close” to New York’s level of scrutiny, said Jim Halpert, Washington-based co-chair of the cyber security practice at DLA Piper, a law firm.
He noted that Andrew Cuomo, the Democratic state governor nearing the end of a second four-year term, appears to be eyeing a run for president in 2020.
“He doesn’t want to be accused of being asleep at the switch,” he said.
Sample the FT’s top stories for a week
You select the topic, we deliver the news.
