April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

New Cybersecurity Regulations Adopted to Protect Financial Systems & Information

In 2016 almost 1.1 billion identities were stolen globally.  This number is up dramatically from a reported 563.8 million identities stolen in 2015.   In addition, the same Symantec Internet Security Threat Report placed the United States at the top of the list for both the number of breaches by country (1,023) and the number of identities stolen by country.

New York State’s Division of Financial Security and other government entities around the globe have been monitoring this increased cybercriminal threat and determining means to help protect the private information of individuals as well as the information technology systems of regulated organizations.

New York State’s Division of Financial Security released new cybersecurity requirements (23 NYCRR 500), directly affecting the way that financial data is managed going forward. Applicable to financial services companies operating in New York State, these regulations declare that, on an annual basis, financial firms are required to prepare and submit a Certification of Compliance with the NY DFS Cybersecurity Regulations to the superintendent, commencing on February 15, 2018.

The scope of this legislation describes measures related to: cybersecurity programs and policy, personnel, resources and training, penetration testing and assessments, audit trails, access privileges, application security, third parties, NPI (Non Public Information) encryption, data retention, incident response and notification.

Among other requirements, this regulation dictates that companies declare any cyberattack to the superintendent within 72 hours. In the past, many companies chose to not disclose information related to these hacking exposures because much of their cost stems from damage to brand reputation and the necessary steps required to rebuild the trust of their clients post-attack.

Similar to the NY DFS proposal, the Federal Reserve Board (FSD), the Office of the Comptroller of the Currency (OCC), and the FDIC issued an advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management and resilience standards for large banking organizations.  Additionally, the states of Vermont and Colorado have released laws pertaining to cybersecurity and the improved protection and monitoring of data. 

Two technologies specifically called out in the new NYS DFS Cybersecurity requirements, Multi-factor Authentication (MFA) and Risk Based Authentication (RBA), are key methods of complying with regulation and defending against attacks. 

Multi-factor authentication is defined as using at least two factors to authenticate a person, generally a combination of:

  • “Something I Have” — this could be a hardware token, a mobile soft token, etc.
  • “Something I Know” — like a PIN code, a password, and
  • “Something I Am” — such as a fingerprint or face recognition.

With MFA, the two factors are fully independent from each other (i.e. the failure of one factor would not compromise the other one).

Risk based authentication is the capacity to detect anomalies or changes in the normal use patterns of a person as part of the authentication process, require additional verification if an anomaly is detected to avoid any breach.

It is more efficient to avoid hacking and cyber-attacks in the first place by focusing attention on the security of the applications being accessed, both externally and internally.  To learn more about these regulations and how similar standards will impact you, visit www.hidglobal.com/iam.

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...