Security in a Changed World: Cybersecurity Officially Meets Physical Security in the NY DFS Regulation
Cybersecurity experts have long espoused that cybersecurity is an enterprise-wide, board-level concern, and not just an IT problem. As evidenced by its new cybersecurity regulation, one of New York State’s top regulatory bodies fully agrees with that sentiment. The first-in-nation mandate from the New York Department of Financial Services (DFS), which regulates financial institutions (including banks and insurance companies) doing business in New York, will require companies to take a comprehensive approach to cybersecurity, protecting the confidentiality, availability and integrity of nonpublic information and information systems. But in addition to focusing on just the expected areas of information security, access controls and data privacy, DFS expressly called out “physical security and environmental controls” as a key area to be considered when developing a cybersecurity policy.
Overview of the Regulation
Broadly speaking, financial institutions that are New York State chartered or licensed are directly regulated by DFS. Although the DFS cybersecurity regulation contains certain exemptions from enforcement, including for covered entities that do not exceed certain thresholds regarding number of employees, gross annual revenue and year-end assets, DFS’s regulatory scope extends to financial institutions domiciled outside of New York State, and even outside of the US. DFS maintains a publicly available database of entities it regulates, which is accessible here. Unless a covered entity falls within an exception, it will be covered by the new cybersecurity regulation and will have to certify compliance beginning in 2018.
Physical Security and Environmental Controls
In the age of constant cyber security attacks and IoT (Internet of Things) companies are more exposed than ever when it comes to the vulnerably of their data. In the financial sector, as a high value target for malicious and state sponsored attackers, the threat is real that to obtain specific data the goal of a cyber-attacker would be to breach multiple forms of entry via social engineering, phishing, and physical security and environmental controls. According to SecurityScorecard’s 2016 Financial Cybersecurity Report:
- 75% of the top 20 U.S. commercial banks (by revenue) are infected with malware, according to SecurityScorecard’s2016 Financial Cybersecurity Report.
- 95 percent of the top 20 U.S. commercial banks (by revenue) have a Network Security grade of ‘C’ or below.
- 75 percent of the top 20 U.S. commercial banks (by revenue) are infected with malware and a number of malware families were discovered within these banks, including Ponyloader, and Vertexnet
The new DFS cyber regulation now requires a CISO, or an individual who takes on the responsibility of that role, in most financial institutions. But the CISO role in the financial services industry, as in all industries, will not reach its full potential if there is not a holistic perspective of enterprise risk management, including full collaboration with physical security and crisis management leaders within the organization. All leaders should be communicating weekly on company strategy, vulnerability updates, security incidents, attempted breaches, and current investigations. Being on the front lines of physical and cyber security has never been more critical. Bridging the gap between physical and cyber security consist of 7 critical steps:
- Right strategy and protocols, efficient collaboration and information sharing: Have an integrated enterprise strategy that is executed from the top down. Information sharing and collaboration among the leaders of the IT, cyber security, physical security and crisis response teams is an imperative. This also includes the third party vendors of these teams. Collaborating on specific security incidents and elevated threats can identify a potential threat and certainly aid in a response to a risk.
- Pay attention to network and perimeter detection alarms: This includes the network security alarms that monitor network intrusions, as well as monitoring physical intrusion detection systems, digital video, temperature, HVAC, environmental, lighting alarms or sensors.
- Investigate perimeter vulnerabilities and hacks: All alarms, network or physical security related, should have a threshold that triggers when a specific alarm needs to be investigated. This requires consistent monitoring and evaluation of controlling entry to the physical property, assessing the legitimacy of a possible intrusion, reviewing if an intrusion was physical, technical or operational, and communicating to the appropriate channels.
- Conduct vulnerability tests: Network, physical perimeter, fire suppression system and other alarm sensors should be conducted regularly. Reports with follow up action steps, audits and monitoring for further remediation should be included.
- Containment of breaches: Segment company data on the network. If one area of a system is breached, then segmentation will ensure that the breach is isolated to that one area. Proper access controls, ID badges, and environmental design will assist in containing an attempt of a physical breach. Containment of a breach, physical or data, is a critical part of any security strategy.
- Have a good Vendor Management Program: This is an official requirement of the new NY DFS regulation. To see why this is important, institutions need to look no further than the Target Corporation breach, which was initiated by phishing attack on one of Target’s HVAC vendors. Having clear assessment and guidelines, as well as follow up audits that include physical and cybersecurity and consistent monitoring, is key.
- Train your employees: Train employees on best practices so they can identify physical and cyber security red flags. If they don’t work directly on these teams, they should know what to look for and who to contact if they believe a breach occurred. If they do work in security, a security guard at a data center for instance, they should be trained to promptly follow the appropriate protocol for identification and remediation of a security incident.
As recognized in the NY DFS regulation, physical security is a key component of every financial institution’s overall cybersecurity program. The deadline for development of a cybersecurity program and policies under the regulation is August 28, 2017, so covered entities are urged to take immediate steps to assess their risks and remediate compliance gaps in order to achieve timely compliance with the regulation.
Jessica Robinson, CEO of PurePoint International which focuses in bridging the gap between physical and cyber security.
Judy Shelby, Insurance & Technology Advisory Services Leader in Cybersecurity at BDO.