How to keep your banking apps compliant under the new NYDFS cybersecurity regulations

by | Jul 2, 2018 | Blog, Security Threats

Share This Story, Choose Your Platform

Some predict that cybercrimes will cost $6 trillion in damages per year by 2021. In response, governments around the world have decided to fight back against cyberattacks and counter threats with a host of new cybersecurity regulations for financial services.

Compliance is a requirement in order to avoid hefty fines. All firms that store highly sensitive data must be especially vigilant. That’s why cybersecurity is the top priority for almost 90% of global banks in 2018, according to a recent EY Global Banking Outlook publication.

Let’s take a closer look at some of the new global cybersecurity regulations in banking, with a focus on New York’s Department of Financial Services (NYDFS) regulations. We’ll also provide some guidance relating to security for your banking apps, so you can make sure you are compliant with these new regulations.

Cybersecurity requirements for financial services companies

Here is a quick overview of some of the more recent global financial services cybersecurity regulations.


The European Union’s General Data Protection Regulations (GDPR) went into effect on May 25, 2018. Organizations that want to process their data must now receive the consent of any European citizen, and they should be able withdraw their consent at any time. EU citizens can also request that their data be erased. 

Organizations must implement data protection. This applies to any business that stores or processes data on EU citizens, regardless of where the organization is located. Financial services firms and banks need to be very mindful of the GDPR, since these entities store a lot of personal information, and the penalties for noncompliance are steep.

More information on the EU GDPR is available here.

NYDFS cybersecurity regulations

New regulations imposed on banks by New York’s Department of Financial Services (NYDFS) went into effect in 2017, with rolling deadlines for compliance. First, banks are required to report all cybersecurity events to the DFS within 72 hours, including some (but not all) unsuccessful attacks.

Additionally, financial institutions covered by the DFS cybersecurity regulations must have:

  • An appropriate cybersecurity program and policies to protect the bank’s and customers’ information
  • A Chief Information Security Officer (CISO) to oversee the cybersecurity program
  • Qualified cybersecurity employees to work with the CISO
  • An incident response plan
  • Continuous monitoring or regularly scheduled penetration testing and vulnerability assessments
  • Multi-factor authentication for remote access

The last deadline for compliance is set for March of 2019. This FAQ document released by the DFS provides answers to common questions on these new regulations.

China’s Cybersecurity Law

This law went into effect on June 1, 2017. It places additional requirements on network and system security for those sectors determined to be part of the Critical Information Infrastructure (CII). This includes financial services and impacts non-Chinese companies.

Under the new law, financial services firms and other CII organizations must:

  • Provide authorities access to data upon request.
  • Prove that their IT infrastructure passes cybersecurity standards and certificates.

For a deeper dive on China’s Cybersecurity Law, consult this resource from KPMG.

Banking apps and financial cybersecurity

These regulations are broad and cover many different areas of cybersecurity in banking. Our area of expertise is streamlining the application security testing process, so we will focus our attention there. Looking at the new regulations from NYDFS, there are several requirements pertaining to application security.

AppSec is addressed directly in Section 500.08, which states that an organization’s cybersecurity program must include written procedures, guidelines, and standards to ensure secure development practices are followed for applications developed in-house, and procedures for evaluating and testing applications developed externally.

In other words, application security testing is a must. The Open Web Application Security Project (OWASP) publishes an open source Application Security Verification Standard (ASVS), which is an excellent resource for organizations who need guidance in this area.

Other sections of the NYDFS regulations include application security as part of what needs to be addressed to be compliant. For example:

  • A company’s cybersecurity policy must be based on risk assessment. This means banks need to include applications in this risk assessment.
  • A written policy that outlines how information will be protected and stored is required. Banking apps store and exchange highly sensitive data—they must be covered in this policy.
  • Continuous monitoring or regular penetration testing and vulnerability assessments are required. This includes banking application testing.

Banking apps are a doorway for hackers to get to your user’s data. Assessing these apps for cybersecurity threats and making sure they comply with these new regulations must become part of your application security process.

Application security should always be a part of the design, development, and production of your banking app from day one. You will save time, money, and legal trouble if you start with AppSec first—unless you’d rather be liable for hundreds of millions of dollars in fines.

Creating secure banking apps

  • Appoint someone in charge of application security—Place someone qualified in charge of managing the application security process—not someone who is doing a dozen other things. AppSec must be his or her sole focus to ensure that application security is maintained from start to finish.
  • Establish security requirements—What security standards should be followed? What is required to make the app compliant with current regulations? Are the regulations enough, or should there be further steps taken?
  • Conduct application security testing—Multiple tools and multiple types of tools should be used as part of application security testing to ensure comprehensive coverage of the application. Types of tools that should be used include:
    • Static Application Security Testing (SAST) tools
    • Dynamic Application Security Testing (DAST) tools
    • Interactive Application Security Testing (IAST) tools
    • Threat Modeling tools
    • Software Composition Analysis (SCA) tools
    • Manual testing

Check out our blog for more information on each of these approaches.

  • Employ and Application Vulnerability Correlation (AVC) tool—Multiple tools deliver many reports with duplicate results. Developers do not have time or patience to sort through the findings. They need to know quickly which vulnerabilities are actually exploitable and should be addressed first. An AVC tool:
    • Removes duplicates from all reports and delivers a single, consolidated set containing all unique application vulnerabilities.
    • Identifies the specific lines of code where vulnerabilities exist, and identifies neighboring flaws and vulnerabilities.
    • Cross-matches results from SAST tools, which identify potential vulnerabilities from within the code (from the inside-out), with results from DAST tools, which identify vulnerabilities accessible from the attack surface (from the outside-in). By combining these two in a hybrid analysis, the AVC will show you which vulnerabilities are real, and exploitable by someone without access to the code.
    • Automatically checks your codebase against regulations such as HIPAA, the DISA-STIG, and the PCI DSS. Noncompliant lines of code are flagged, and the specific violation is identified. Suggestions about how to become compliant should be provided.
    • Integrates with the issue tracking tools like Jira and popular development environments like Eclipse, so developers can work on issues within their preferred workspaces.
  • Develop and follow a remediation strategy—A formal remediation strategy is required. This provides a reproducible process you can follow each time you track known issues and fix them. Threats need to be prioritized, assigned an owner and a deadline, and formally tracked to make sure they are corrected. Without a formal strategy, this becomes much more difficult.

If you don’t have the proper cybersecurity expertise on your in-house application development team, work with a company you can trust to keep your application secure from data breaches.

The NYDFS cybersecurity regulations place new requirements on your banking apps concerning application security and vulnerability assessments. Staying compliant is necessary to avoid violations. It will also keep your applications more secure, which will improve your organization’s reputation and contribute to the success of your banking apps.

Share This Story, Choose Your Platform