Last year, New York’s Department of Financial Services (NYDFS) made history when it became the first state department in the nation to implement wide-ranging state cybersecurity regulations for banks. The new regulations, known formally as the NYDFS Cybersecurity Requirements for Financial Services Companies, went into effect March 1, 2017, and requires thousands of financial institutions that do business in the state of New York to conduct a risk assessment and maintain a risk-based cybersecurity program.
The new rules were understandably daunting for some banks. But given the current cybersecurity landscape, they were also necessary. Since 2013, data breaches have compromised more than 13 billion records containing personal information, according to the Breach Level Index. New York’s new regulations were designed to protect customer data and ensure the safety of New York’s financial services industry. Given that New York is the financial hub of the world, the new regulations are critical. Other states — and possibly the federal government — will likely follow suit and enact similar regulations.
One interesting aspect of the NYDFS Cybersecurity Requirements for Financial Services Companies is that they require affected entities to use biometrics as part of an MFA solution. It’s just one example of how new regulations are spurring adoption of biometrics in a variety of industries.
So far, New York banks have kept news about how they plan to ensure compliance with the new regulations somewhat quiet. But we did find a few examples of banks that are implementing new systems. For example, the Royal Bank of Scotland Group Plc was one of the first banks to react to the new regulations, working with BioCatch to employ multi factor authentication technology before the NYDFS cybersecurity rules even became official, according to The Telegraph. (BioCatch’s technology works by tracking multiple variables of a user’s biometrics — fingerprints, hand-eye coordination, typographical keyboard strokes, timing, scrolling, and other finger movements — to detect anomalies. The system can also recognize automated malicious account takeover attacks.)
More recently, biometrics company BIO-key announced that an unnamed regional bank serving customers throughout Long Island and neighboring NYC boroughs selected them to provide a biometric sign-in solution for employees accessing computer devices and connected applications. The bank uses BIO-key’s ID Director software solution to add fingerprint biometric authentication to the bank’s Windows platform. The bank is also integrating BIO-key fingerprint scanners to secure access to each computing device.
New York’s new rules were met with some pushback from the financial community, but it’s clear that passwords alone are no longer enough to protect our financial institutions. NYDFS recognizes that to keep up with savvy cybercriminals, they will have to use more sophisticated protection methods, such as biometrics. And it’s hard to argue that requiring banks to have increased cybersecurity protections is a bad thing.
Veridium is also working with financial services clients to deliver strong authentication using its biometric platform. According to Veridium’s CEO, James Stickland, “We are now delivering for a number of financial services clients that believe passwords are not enough, and adding a token to a password creates a more challenging user experience. We are helping enterprises protect assets and customer privacy whilst delivering a platform service that future proofs a rapidly changing authentication market.”
Whether your state follows in New York’s path and implements new cybersecurity regulations for banks or not, it looks like many banks are planning to move that direction on their own. A recent analysis by Goode Intelligence predicted it 1.9 billion bank customers will regularly use biometrics interfaces by 2020.
The final round of compliance deadlines for the NYDFS Cybersecurity Requirements for Financial Services Companies is coming up fast — March 1, 2019. By that date, New York financial institutions will be required to implement third-party service provider security policies and ensure compliance with all parts of the regulation. It should be interesting to see how the regulations play out and what effect they ultimately have in protecting consumer data.