[Cryptography] On New York's new "Cybersecurity Requirements for Financial Services Companies"

iang iang at iang.org
Sun Mar 12 20:29:14 EDT 2017 

On 01/03/2017 12:38, Perry E. Metzger wrote:

> New York State's Department of Financial Services recently published
> its brand new regulation for banks, insurers and other similar
> companies entitled "Cybersecurity Requirements for Financial Services
> Companies":
>
> http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf
>
> ...
>
> If I were the regulator, I might have written a very similar
> document. Possibly I would have added some sort of requirements about
> patching policy, but really, under the circumstances they did what one
> could have reasonably expected of them.
>
> However, the demand that they create such a regulation wasn't
> particularly useful, and the output also isn't particularly useful,
> probably because it inherently couldn't ever be particularly useful.

It somewhat depends on what is meant by 'useful' ... or, useful to whom?

An objective look at security would say that it means to deliver to the 
users.  But a more cynical view would be that the users aren't the 
customers, instead, the corporates are the customers of security.  As 
long as the corporate is safe, then everyone is happy.

In this sense, the threat to the corporates includes, as well as 
hacking, also lawsuits, investigations, audits, loss of reputation, 
harrassment in the media and fines.

If for hypothetical argument, the cost of the hacking was low (to the 
corporate!) and the cost of the fallout was high, then the better 
strategy would be to reduce the cost of fallout.

The older strategy was then met by keeping all hacks a secret.  As this 
has fallen out of favour, what seems to emerge is a compliance 
approach:  as long as the corporate followed a well-accepted 
prescription, then the corporate has done little wrong and has been 
subjected to an act of nature or of God, and should deserve our 
compassion not our scorn.

Then, corporates need that standard to set their permissable and 
acceptable actions.  If the regulator can be persuaded to draft such a 
regulation, that would fit the bill.  A court would find it hard to rule 
against a hacked corporate that followed the regulation to the letter.

> Most of the useful things it calls for, like having people who are
> responsible security, and having policies about auditing and periodic
> testing, are already in place at essentially 100% of financial
> institutions. After all, financial services firms spend a fortune
> trying to keep themselves secure, and have for many years. However, in
> spite of the fact that all the newly mandated regulatory requirements
> are already in place at essentially every single firm, security
> breaches happen quite regularly.

Right, it doesn't need to be different to what is already done, and it 
doesn't need to change the breaches.  It just needs to be standardised 
so it can protect the corporate.

> ...
> The real issues in security are, of course, elsewhere.

Right.  Who speaks for the user?

iang

More information about the cryptography mailing list