Financial service organizations in New York are fast approaching the one-year mark of the implementation of the NYDFS Cybersecurity Regulation. The first deadlines hit in 2017, and firms were given a one-year transition period. By February 15th, CISOs must file their first certification report and by March 1st firms have to be in compliance with five more sections of 23 NYCRR Part 500.
The NYDFS Cybersecurity Regulation is one of a growing number of regulatory requirements aimed at protecting companies and their customers from cyber threats. But how effective is the regulation at actually keeping organizations secure? Is compliance merely a burden, introducing new work for security teams that detracts from establishing true security best practices?
Though the aim of NYDFS is laudable, the way financial service firms approach compliance will determine whether the regulation’s requirements will lead to a cybersecurity approach that can keep up with evolving cyber risk.
What Is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation was created to promote the protection of customer information as well as the information technology systems of regulated entities. Today, the financial services industry is a significant target for cyber criminals. In particular, digital transformation has brought finance and cyber fraud into direct contact and increased the types and speed of fraud taking place on digital channels. The NYDFS regulation establishes cybersecurity requirements for financial service firms to make sure they are monitoring for cyber risk and protecting sensitive data.
The final piece of the New York Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, came into effect in March 2017. The regulation covers financial service companies, including licensed lenders, state-chartered banks, trust companies, private bankers, mortgage companies, insurance companies doing business in New York, and others.
Key Requirements Under NYDFS
The NYDFS Cybersecurity Regulation requires financial services companies to design a cybersecurity program that addresses risk and has buy-in from senior management. To accomplish this, here are some of the key requirements under the regulation:
- Maintain a cybersecurity program that protects the confidentiality, integrity and availability information systems
- Establish a cybersecurity policy
- Hire a Chief Information Security Officer
- Conduct periodic risk assessments
- Use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems
- Provide training and monitoring
- Establish an incident response plan
Moving from Compliance to True Security with Behavioral Biometrics
The cyber threats financial institutions are up against are complex. Cyber criminals hack financial institutions to commit fraud by using everything from synthetic identities to malware and phishing attacks. With thousands of transactions to monitor, it’s difficult to accurately separate fraudulent activity from that of a real user. And with faster payments now a reality in Europe and the United States, the task is even more complex.
The NYDFS created its requirements to help financial services organizations address these rising threats. But real security means more than just compliance. Banks need to make sure that the cybersecurity solutions they implement are up to the task.
Behavioral biometrics are an advanced technology that are already helping financial institutions around the globe provide better security for their customers and fight cyber fraud. Behavioral biometrics protects millions of users every day from account takeover fraud, remote access attacks, social engineering and more, stopping the theft of funds and interruption of payments.
How does it work? Behavioral biometrics run in the background of an application, monitoring and cataloging user behavior to establish user profiles. These profiles allow behavioral biometrics to distinguish between legitimate customers and cyber criminals, flagging any suspicious activity for fraud. Banks that use these solutions are able to detect and stop fraud in real time, not days or weeks after an incident occurs. As a result, customers experience less disruption and loss of resources.
The NYDFS Cybersecurity Regulation requires that an organization’s cybersecurity program and policies be able to protect sensitive information from unauthorized access and malicious attacks. Traditional fraud prevention measures allow banks to comply with this requirement, but they also fall short of providing true security. Behavioral biometrics, however, are able to detect human and non-human fraud in the moment, allowing financial institutions to detect advanced cyber attacks that compromise their security and lead to loss of protected data.
One UK bank looking to better detect account takeover fraud deployed behavioral biometrics and saw an increased fraud detection rate of 95%. Using behavioral biometrics also allowed the bank to reduce false positives, meaning they were able to catch almost all fraud while reducing the number of alerts monitored each day.
Behavioral biometrics also enhance the capability for multi-factor authentication in a way that’s unobtrusive and more secure than traditional options. NYFDS requires that financial institutions employ two of these three options for multi-factor authentication: knowledge factors, such as a password; possession factors, such as a token or text message on a mobile phone; or inherence factors, such as a biometric characteristic. However, traditional solutions that rely on personally identifiable information - such as passwords, mothers’ maiden names and social security numbers have proven to be ineffective due to the frequency of major data breaches. Behavioral biometrics circumvent the problem of using static identifiers by continually monitoring user behavior to detect any out of the ordinary behavior. Based on user profiles, if behavior on an application deviates from the norm, behavioral biometrics technology can introduce a step-up authentication to validate user identity. In addition to the mapping of behavior taking place in the background, this additional measure only appears when further authentication is needed.
Though the NYDFS Cybersecurity Regulation is a good step toward making sure financial service organizations are thinking about cybersecurity, the regulation itself is not enough to protect financial institutions from the growing complexity of cyber fraud. Regulations can’t keep up with the evolving nature of cyber risk, which means organizations need to go beyond compliance to stay ahead of cyber criminals.Interested in learning more about how banks can stop cyber fraud with behavioral biometrics? Take a look at our white paper on the benefits of continuous authentication over other common safeguards, like two-factor authentication.