New York's Cybersecurity Law: A Deep Dive into Its Strengths and Shortcomings

New York's financial sector is now under the purview of the Second Amendment to 23 NYCRR 500, a fresh set of cybersecurity regulations. While these new rules bring forth a comprehensive framework aimed at safeguarding critical financial data, they also leave some stones unturned. The most notable among these is the human aspect of cybersecurity. As we unpack the details of this amendment, it becomes evident that while technical and procedural defenses are being bolstered, the human element, often the weakest link in the cybersecurity chain, might not be getting the attention it deserves.

At its core, the amendment seeks to:

• Establish a standardized cybersecurity program for covered entities.
• Define key terms and concepts related to cybersecurity, ensuring clarity in interpretation and implementation.
• Set forth specific requirements based on the size and scale of the financial entities, ensuring that both large and small organizations have tailored defenses.
• Emphasize the role of leadership, particularly the Chief Information Security Officer (CISO), in overseeing and ensuring the effectiveness of the cybersecurity program.

Key Requirements of the Law:

Cybersecurity Program:

• All covered entities are mandated to establish a cybersecurity program. This program should be designed to protect their information systems from potential threats.
• The program's core functions encompass risk identification, protective measures, event detection, response mechanisms, recovery processes, and regulatory reporting.

Class A Companies:

• Distinct provisions have been set for "Class A Companies," which are typically larger entities in the financial sector.
• These companies are required to design and conduct independent audits of their cybersecurity program, ensuring that their defenses are up to par and based on their risk assessment.

Role of the CISO:

• The Chief Information Security Officer (CISO) plays a pivotal role in the cybersecurity framework of covered entities.
• Their responsibilities include overseeing the cybersecurity program and providing an annual report to the senior governing body. This report should cover various facets, from the program's effectiveness to any material cybersecurity events.

Vulnerability Management:

• Regular vulnerability assessments are a must. Entities are required to conduct penetration testing of their information systems at least once a year.
• Additionally, automated scans should be carried out to discover and report potential vulnerabilities. The frequency of these scans is determined by the entity's risk assessment.

Access Privileges and Management:

• Access to information systems should be restricted. Entities must ensure that user access privileges are limited only to those necessary for the user's job responsibilities.

Asset Inventory:

• Keeping track of assets is crucial. Entities should maintain an inventory that includes key information for each asset, such as its owner, location, classification, and more.

Secure Disposal:

• Entities must have procedures in place for the secure disposal of nonpublic information that is no longer required for business operations, unless mandated by law or regulation.

Monitoring and Training:

• Monitoring user activity is essential to detect any unauthorized access or potential threats.
• Furthermore, entities are required to provide at least annual cybersecurity awareness training, emphasizing topics like social engineering, to all personnel.

The Weakest Link: Addressing the Human Element

The Second Amendment to 23 NYCRR 500, while comprehensive in many aspects, misses the mark when it comes to the human element of cybersecurity. The amendment's nod to annual cybersecurity awareness training is a mere checkbox approach, and research has consistently shown that such infrequent trainings are ineffective.

But it's not just about frequency; it's also about the methodology. Behavioral science principles, such as cognitive load theory, emphasize the need for training materials to be digestible and not overwhelming. Cybersecurity topics, which can be complex, need to be presented in a manner that's easy to grasp and retain.

Furthermore, spaced learning theory suggests that information retention is significantly improved when learning is spaced out over time. A once-a-year training doesn't leverage this principle, whereas continuous training solutions, like PhishFirewall's gamified training and AI cyber coaching, do. They provide regular, updated, and interactive training experiences, ensuring that employees are always equipped with the latest knowledge and skills to combat cyber threats.

It's alarming that over 90% of breaches start with human error, yet regulations like this one continue to sideline the human element. For cybersecurity regulations to be truly effective, they must stop ignoring this glaring vulnerability. Addressing the human element is not just an option; it's a necessity. Laws and regulations need to prioritize continuous security awareness training and recognize its paramount importance in building a resilient cybersecurity culture.

Conclusion

The introduction of the Second Amendment to 23 NYCRR 500 is a testament to New York's commitment to fortifying its financial sector against cyber threats. The law brings forth a comprehensive set of requirements, emphasizing technical and procedural defenses. However, its oversight of the human element—a critical component in the cybersecurity equation—raises concerns.

As the digital landscape continues to evolve, so do the threats that organizations face. While technical defenses are crucial, they are only as strong as the people who interact with them daily. The stark reality is that no matter how advanced or robust a cybersecurity system is, it can be compromised by a single uninformed action by an employee.

It's imperative for future regulations to recognize and address this. By integrating continuous security awareness training and leveraging behavioral science principles, we can transform the human element from a potential vulnerability into a formidable line of defense.

In the quest for a secure digital future, it's not just about having the right tools and protocols in place; it's about ensuring that every individual is empowered with the knowledge and skills to use them effectively.

‍