It is encouraging that regulators recognize the gravity of cyber risk, as indicated by proposed security regulations announced by New York Gov. Andrew Cuomo. But New York's plan is still far from what banks need to deal with the threat.
New York's proposal includes, among other things, requiring a financial institution to: appoint a chief information security officer, get company certification that security controls are adequate and provide notice of a breach within 72 hours to the New York State Department of Financial Services. Companies must also conduct regular penetration testing and cybersecurity training for bank personnel.
The strength of the state's proposed regulations is the required breach notification and accountability of banks, both of which are likely to help prioritize cybersecurity as a board level issue and governance responsibility. However, the regulations lack clear guidance for bank officials to actually strengthen and measure their network security.
Not only is 72 hours too long to protect other banks from discovered threats, but regular testing and cybersecurity training for bank personnel has proven perfunctory, not effective. Banks need not just accountability for their security, but they also need meaningful guidance on how to achieve security.
A more meaningful reform by bank regulatory bodies would require full transparency after a breach, similar to how the National Transportation Safety Board publishes detailed reports after transportation disasters. In the case of cyber breaches, other banks and their cybersecurity suppliers will improve their security posture from full disclosure on the attack, including: the initial attack vector, which vulnerabilities were exploited, what method or tool the attacker used, and, of course, the origin of the attack or identity of the adversary if known.
Yet on top of a full accounting of the breach and its root-cause analysis — which would take investigators months to complete — more immediate threat reporting is also essential to protect other banks — including smaller institutions — that are likely facing similar threats. In this regard, notification of a breach to the DFS within 72 hours seems comparatively long and inadequate. Today's attacks move at the speed of the network, and the systems for sharing threat intelligence must reflect the time scales of these attacks.
For fast response reporting and threat intelligence sharing, existing organizations such as the nonprofit Financial Services-Information Sharing and Analysis Center should be leveraged. Industry-funded technology such as Soltra should be adopted by banks to minimize the window of time from detected compromise to alerting the industry.
To get ahead of the crime, requiring company officers to certify security controls will bring about needed focus on cybersecurity; however, the proposed rules do not provide enough guidance for what constitutes acceptable defenses for the threats banks face.
Banks need better guidance on how to actually secure their systems. As an example, municipalities impose building codes to reflect the threat from fire and natural disasters like earthquakes and floods for regions prone to such natural threats. The building codes are very specific to the tolerances that must be met in order to pass inspection and be inhabitable for residence or business.
The proposed regulations, meanwhile, only specify periodic penetration testing and security training, which by itself will not provide any assurance that banks will withstand attacks they face.
In short, the proposed new regulations are a step in the right direction, but they fall short. Already, banks today meet most of these proposed regulations, including having an appointed CISO and performing regular testing and training. Therefore, meaningful reform is needed from regulatory bodies. The reform should mandate full disclosure on breaches and real-time threat sharing as well as provide specific guidance for banks to achieve the levels of security needed against the cyber threats they face.
Anup Ghosh is founder and CEO of Invincea Inc., a machine learning next generation anti-virus company.