Hiding Hacks Just Became Tougher
When dealing with successful and unsuccessful hacking attempts, financial services firms can no longer take the “no new is good news” approach.
Under New York State Department of Financial Service’s cyber-security regulation, which went into effect earlier this year, those firms supervised by the state regulator must report all hacks and attempted hacks to the NYSDFS via its online portal.
All of the approximately 1,200 financial services firms regulated by the NYSDFS, should have registered their organizations on the portal by August 28.
Many firms still may be waiting to register since the NYSDFS did not have the portal up until a week before the deadline, Michael Corcione, managing director of cyber-security and data protection consulting services at Cordium, told Markets Media.
“I doubt many firms even have registered with the website or even realized what their reporting processes are,” he said. ” I just think many firms are way behind.”
Those financial companies that are tempted to delay their registration further should think again, according to Corcione.
“The NYSDFS will be able to use analytics to see who has signed up with the portal and who has not,” he said. “They will have a list and can match names. Those who signed up early will be low on its radar. Those who signed up late will be high on their radar.”
However, once firms are registered, they still will need to report hacking incidents and attempted hacking incidents.
“What you report as an incident depends on what your policy defines as an incident, Corcione explained. “One company may call a phishing email attack an incident while another firm may not because it did not penetrate certain barriers of the organization.”
Under-reporting incidents also may expose firms to NYSDFS Matter Requiring Attention or Matter Requiring Immediate Attention notices and ultimately fines.
The NYSDFS is going to expect to see some “noise” and activity, according to Corcione.
He expects the regulator to hire data scientists and analyst to review the data similar to how the Securities and Exchange Commission has to evaluate trading trends of insider trading.
It is bad behavior using sensitive information, he noted. “The NYSDFS will do the same thing to see how firms are adhering to the requirements they put out. This is why you should pay attention to the portal reporting requirement. If you try to stay under the radar, you are going to race to the top.”
Some on Wall Street might feel a little schadenfreude.
Dearth of board-level experience hampers cybersecurity planning and rollout.
One legislator wants markets better informed in case of cyberattack.
No single firm or regulator can tackle the borderless nature of cyber-crime.
New regulations with little harmonization make life difficult for firms.