New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, a far more sophisticated group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian in Fake Tesla Team’s code appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.

Eliminating Language Barriers Between Information Security and the C-Suite

Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.

In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?

Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.

What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.

A Two-Way Street

Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:

  • Does every member of the security team understand what is it that you sell/produce/provide?
  • What are the things your security teams need to watch out for to protect revenue?
  • Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
  • If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
  • Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?

These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.

Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.

There is no “right way” to communicate. Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”

For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.

Aon Introduces Single-Parent Captive Cyber Insurance Program


With cyberattack listed as one of their top risks, organizations are looking for ways to mitigate their risk in a market where cyber insurance rates are quickly rising. According to the Center for Strategic and International Studies, the annual cost of cyber crime and economic espionage to the world economy runs as high as $445 billion, or about 1% of global income.

This does not include intangible damage to an organization, however. Companies are purchasing more insurance to cover the risk. In 2014, the report said, the insurance industry took in $2.5 billion in premiums on policies to protect companies from losses resulting from hacks.

As a result, captive insurers are being used more and more for coverage.

Aon said it is addressing shortcomings in traditional cyber coverage with a cyber captive program with capacity of up to $400 million. Companies looking to form a captive would undergo a review to quantify their cyber exposures.

According to Peter Mullen, CEO of Aon Captive and Insurance Management, the program is designed to help clients understand their risk profile. “Once this is understood, they are is in a better position to make decisions about how much risk to retain in their captive and how much risk to transfer to the program,” Mullen said. “The program allows captives to purchase coverage up to $400 million on a reinsurance or excess insurance basis.”

The cyber captive program will be domiciled in Bermuda and is available to single-parent captives. The basis for coverage will be “a very broad form which includes coverage for property damage and business interruption following a cyber event,” he added.

“Building a large tower of limits can be hampered by differing policy terms and conditions and dislocation of rates at different layers in a program,” Mullen said. “Additionally, many organizations facing cyber risks that can result in physical impacts, such as property damage and business interruption, agree that a more comprehensive approach to cyber risk is needed.”