On 1st March, the much anticipated cyber security regulations were enforced for the financial sector in the state of New York, notable given the number of mobile banking apps that require mobile app security testing. According to security experts, these new regulations have set up a basic standard of security best practices and also recognise the fact that compliance is more challenging for small to medium sized businesses.
The new regulations require insurance companies, banks and other financial institutions to develop and maintain a cybersecurity program. These regulations are first of their kind and are thought of as a model for other states in future.
Tim Erlin, Senior Director at Tripwire said, “These new regulations will push companies to have a basic level of cybersecurity, but it doesn’t create an unfair competitive situation because it’s generally applied across the board.”
These new regulations will be fully implemented in a time period of two years. Companies that generate revenue of less than $5 million and have assets of less than $10 million will be excused from compliance with the costly and technical sides of the regulations such as penetration testing, vulnerability assessments, and mobile app security testing of financial apps, but would still need to implement an information security policy and program, and document it.
Companies are now starting to develop incident response plans and training programs within the next 180 days. They also have to inform the Department of Financial Services (DFS) about any security breach within 72 hours of occurrence and appoint a CISO who is responsible for the protection of confidential data.
After a time period of 1 year, i.e. 1st of March next year, financial institutions have to show that they have put all the practices of risk assessment, penetration testing and multifactor authentication in place. Then further onwards, within a period of 18 months, they should be able to demonstrate the development of their application security, audit trail capability, data retention, and encryption.
According to Erlin, the strength of these new regulations will depend upon the extent to which they are applied. He also added that DFS has the capability to impose fine on companies that do not comply with these cybersecurity regulations within the set time frame, referring to the recent cases when it fined Mega Bank $180 million and Deutsche Bank $425 million on money laundering laws violation. “While those fines are not related to cybersecurity, it does indicate that the agency is capable of imposing those type of fines and that they actually might do it,” he says.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.