The recent WannaCry ransomware attacks highlight the importance of proactive cybersecurity measures, much like those taken by New York State in March when it enacted the nation’s first cybersecurity regs to protect the state’s financial services industry and consumers from cyberattacks.

The new regulation requires banks, credit unions, insurance companies and other financial services institutions regulated by the state’s Department of Financial Services to establish and maintain a cybersecurity program.

“The New York Department of Financial Services realized credit union data breaches were rising higher than other industries and most likely not adopting proper policies and controls,” said Brad Taylor, CEO of the Carlsbad, Calif.-based Proficio, a managed security services provider. “So they stepped in to force regulation to protect New York consumers.”

Taylor, like others interviewed for this story, spoke to CU Journal prior to the WannaCry attacks.

In 2013, Taylor noted, the state of New York experienced a record year for data breaches, with 7.3 out of 20 million New Yorkers’ (36.5 percent) personal and financial information being compromised. Additionally, more than 900 private and public institutions were breached.

“From 2015 to 2016, the number of data breaches in New York continued to grow, increasing by 60 percent,” he said.

According to Verizon’s 2017 Data Breach Investigations Report (DBIR) – which analyzed more than 42,000 cybersecurity incidents and nearly 2,000 data breaches from over 84 countries using data from nearly 65 organizations – 61 percent of victims analyzed were businesses with fewer than 1,000 employees.

The report also found that the top three industries for data breaches are financial services (24 percent), healthcare (15 percent) and the public sector (12 percent).

“The cybercrime data for each industry varies dramatically,” said Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “It is only by understanding the fundamental workings of each vertical that you can appreciate the cybersecurity challenges they face and recommend appropriate actions.”

CU cyber checklist
As of April 2017, there were 364 credit unions headquartered in New York comprising more than 1,000 branch office locations. New York credit unions support 5.4 million members with over $76 billion in total assets.

How these new regulations will impact IT departments at CUs depends on a few factors, explained Reuven Harrison, CTO of the Boston, Mass.-based Tufin, a network security company.

“In a perfect world, there should be no impact since the credit unions should have been implementing such measures prior to the regulations as there are no ground-breaking requirements here, just the standard best practices,” said Harrison. “However, in most cases, there will probably be a gap between the current state of affairs and the new requirements. This will need to be addressed by increasing the team size, hiring talent and modernizing the security operations.”

Reuven Harrison, CTO of Tufin
Reuven Harrison, CTO of Tufin

While the new regulations are still in the initial stages, Taylor said credit unions are still required to self-audit, attest annually they are compliant and provide a breach notification to the superintendent.

“If credit unions are not complying with the regulations and end up suffering from a breach, they would inevitably need to dip into their pockets,” said Taylor. “Apart from a class action litigation that oftentimes follows security breaches, non-compliance puts credit unions’ credibility and reputation on the line with an incredibly negative impact due to the breach.”

Wanted: CISOs
For IT departments in New York, it won’t necessarily be business as usual, as they will be tasked with an array of new responsibilities and requirements. Apart from establishing “a strong and cohesive” cybersecurity program, Taylor said, IT employees must also adopt a robust cybersecurity policy.

“Credit unions need to hire a chief information security officer (CISO) and implement privacy policies and best practices for third-party service providers,” said Taylor. “The IT team will be loaded with conducting periodic risk assessments to ensure compliance and are responsible for notifying the superintended within 72 hours of determining a cyber incident that is likely to impact or harm any material part of the credit union, or if notice needs to be given to an additional regulatory body.”

When determining whether or not third-party vendors are adhering to the new cybersecurity regulations, Harrison said it’s better to practice “extreme caution” regarding matters of compliance.

“Credit unions should operate under the assumption that third parties are non-compliant and restrict their privileges to the bare minimum needed to conduct business,” said Harrison.

Whether New York’s forward-leaning cybersecurity efforts will reduce breaches or spur other states to follow suit remains an all-important unknown.

“While the New York regulations may lead to a more structured cybersecurity program for credit unions, they also have the potential to backfire and end up costing institutions a lot of money for little results— no cybersecurity efforts in place,” said Taylor. “An alternative would be to consider model laws that tend to bridge the gap between competing viewpoints across several states since they cover a wide range of subjects, but they need to first be approved by organizations developing them before state lawmakers can take a look.”