The state of New York on cybersecurity: What’s now, what’s new

The state of New York on cybersecurity: What’s now, what’s new

On April 30, 2001, then US Secretary of Defense Donald Rumsfeld sent out an ominous memo with a 38-page report attached to it. The paper raised the possibility of the Internet being weaponized by enemies of the US, targeting American computer networks with malicious code and cyberattacks. And because New York is the financial capital of the world, it was a prime target for what was then a fairly new term: cyberwar.

Five months later, 9/11 happened. It shut down the US stock market for four days and sparked a mini-crash in the first week trading resumed.

Almost two decades after the memo and paper came out, America has precautions in place to prevent a possible repeat of that which brought New York to a standstill. But is the Empire State capable of protecting itself from a cyber-9/11 attack?

New York is ahead in cyberattack response

Global consulting firm Accenture came out with a survey that showed New York companies as being exceptionally efficient in responding to cyberattacks.

In particular, they were quite swift in identifying breaches. The global average dwell time, or the time elapsed between the initial breach of an attacker and the discovery of the breach by the victim, is at 175 days — nearly half a year. In New York, the majority of breaches were found within seven days.

New York companies also excelled in the speed of remedying breaches. 87% of the respondents claimed they were able to fix breaches in less than 60 days. In comparison, the global average is 74%.

New York is behind in cyber protection

Unfortunately, when it comes to preventing cyberattacks, New York companies are behind their global counterparts. While Big Apple businesses were able to prevent nearly 75% of cyberattacks, global companies were more successful at 87%.

Most of the threats in New York came from internal attacks and malicious insiders. This is especially worrisome since insider attacks have privileged access to company systems. The greater threat is from within, not from external enemies.

New York as the cybersecurity capital

To protect the financial capital of the world, ambitious steps are being taken to make New York the capital of cybersecurity. Project Cyber NYC — which is a partnership between the city government, several major private companies, and two prominent venture capital funds — will involve the creation of a Global Cyber Center, a cybersecurity innovation hub, and academic partnerships with NY colleges. Major corporations will also assist with training and hiring.

Cyber NYC will further benefit the city by creating an estimated 10,000 local cybersecurity jobs over the next decade.

New York’s new cybersecurity laws for financial institutions

In September 2016, Gov. Andrew Cuomo announced that the New York State Department of Financial Services (NYDFS) was going to implement sweeping cybersecurity regulations to protect the financial services industry.

In 2017, the NYDFS quietly released 23 NYCRR 500, a set of cybersecurity regulations requiring budget planners, mortgage lenders, and every financial business in between to comply with or face stiff penalties. The key requirements include:

  • Written cybersecurity policies – Businesses are required to publish a formal set of company policies explicitly approved by the company’s board of directors.
  • Chief information security officer (CISO) – Someone must be in charge of cybersecurity. If a company cannot hire one, a managed services provider (MSP) or an outsourced IT provider will do.
  • Risk assessment tests – Tests must be conducted to see how vulnerable your network is, and how to secure it.
  • Multi-factor authentication –Every account must have a multi-factor authentication security protocol.
  • Staff training – Everyone who handles IT systems and regulated data must be made aware, trained, and in some cases certified.
  • Incident response plan – Upon recognition of a breach, the company should report it within 72 hours.
  • Encryption and erasure of regulated data – All regulated data should be encrypted across all channels. And if data is no longer needed, it must be properly and thoroughly destroyed.
  • Annual certification of compliance and CISO reports – Every business should submit annually to the NYDFS [a] certification of compliance and [b] CISO reports to the company board of directors.

While some companies welcomed the new regulations, others balked at the heavy requirements and the amount of catching up they needed to do. And though 23 NYCRR 500 is more specific with particular requirements compared to the European Union’s General Data Protection Regulation (GDPR) and our own Health Insurance Portability and Accountability Act (HIPAA), cybersecurity experts noted that the NYDFS regulations only encompass the financial industry, unlike the GDPR, which covers companies in all industries all over the globe.

Experts hope that New York will lead the way for other states to improve their cybersecurity in the absence of federal government action. After NYDFS took effect, financial regulators in Colorado and Vermont followed suit.

New York state of mind: Be better protected; achieve NYDFS compliance

Maybe you’re a New York-based business who wants better cybersecurity. Or you’re in need of NYDFS compliance but cannot afford to hire a CISO, or don’t have the time to make heads or tails of 23 NYCRR 500.

Then you need our experts at Hudson Valley IT Services LLC. Thanks to our almost 20 years of cybersecurity, data compliance, and IT consulting experience, we achieved a Better Business Bureau rating of A+. We will gladly keep you protected and help you achieve compliance, so you can focus more on your business. Contact us today.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts