[Cryptography] On New York's new "Cybersecurity Requirements for Financial Services Companies"
iang
iang at iang.org
Sun Mar 12 20:29:14 EDT 2017
On 01/03/2017 12:38, Perry E. Metzger wrote:
> New York State's Department of Financial Services recently published
> its brand new regulation for banks, insurers and other similar
> companies entitled "Cybersecurity Requirements for Financial Services
> Companies":
>
> http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf
>
> ...
>
> If I were the regulator, I might have written a very similar
> document. Possibly I would have added some sort of requirements about
> patching policy, but really, under the circumstances they did what one
> could have reasonably expected of them.
>
> However, the demand that they create such a regulation wasn't
> particularly useful, and the output also isn't particularly useful,
> probably because it inherently couldn't ever be particularly useful.
It somewhat depends on what is meant by 'useful' ... or, useful to whom?
An objective look at security would say that it means to deliver to the
users. But a more cynical view would be that the users aren't the
customers, instead, the corporates are the customers of security. As
long as the corporate is safe, then everyone is happy.
In this sense, the threat to the corporates includes, as well as
hacking, also lawsuits, investigations, audits, loss of reputation,
harrassment in the media and fines.
If for hypothetical argument, the cost of the hacking was low (to the
corporate!) and the cost of the fallout was high, then the better
strategy would be to reduce the cost of fallout.
The older strategy was then met by keeping all hacks a secret. As this
has fallen out of favour, what seems to emerge is a compliance
approach: as long as the corporate followed a well-accepted
prescription, then the corporate has done little wrong and has been
subjected to an act of nature or of God, and should deserve our
compassion not our scorn.
Then, corporates need that standard to set their permissable and
acceptable actions. If the regulator can be persuaded to draft such a
regulation, that would fit the bill. A court would find it hard to rule
against a hacked corporate that followed the regulation to the letter.
> Most of the useful things it calls for, like having people who are
> responsible security, and having policies about auditing and periodic
> testing, are already in place at essentially 100% of financial
> institutions. After all, financial services firms spend a fortune
> trying to keep themselves secure, and have for many years. However, in
> spite of the fact that all the newly mandated regulatory requirements
> are already in place at essentially every single firm, security
> breaches happen quite regularly.
Right, it doesn't need to be different to what is already done, and it
doesn't need to change the breaches. It just needs to be standardised
so it can protect the corporate.
> ...
> The real issues in security are, of course, elsewhere.
Right. Who speaks for the user?
iang
More information about the cryptography
mailing list