You know banks and related financial institutions are primary targets for cyberattacks and other security threats. In fact, notorious 20th-century bank robber Willie Sutton famously said he robbed banks “because that’s where the money is.”

Times really haven’t changed much since then. Even as IT security is tightened, attackers are finding more innovative ways to target financial institutions — which is why it’s imperative to upgrade IT security systems and application security programs regularly.

The banking, financial services and insurance (BFSI) sector is impacted by various regulations that protect such organizations and their customers from potential cyberthreats. The New York Department of Financial Services (NYDFS) introduced a regulation called 23 NYCRR Part 500 for banks, insurers and other financial institutions that operate in New York City. The regulation requires each company to “assess its specific risk-based profile and to tailor a program that addresses the risks identified by self-assessment.”

NYDFS Regulation Aims to Bolster Financial Cybersecurity

The regulation initially came into effect on March 1, 2017 — and it’s the first in the U.S. to mandate such protection by banks, insurers and other financial institutions within the NYDFS’s regulatory jurisdiction. Its overarching goal is to protect institutions’ customer information from potential cyberattacks. Entities impacted by the legislation are required to be in compliance by March 1, 2019.

The legislation specifically addresses several compliance areas, including maintenance of a cybersecurity policy; retention of a chief information security officer (CISO) and other qualified personnel; and the establishment of a written incident response (IR) plan.

In the area of application security, the directive states:

  1. “Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity”; and
  2. “All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.”

Don’t Sleep on Application Security

One aspect that’s often neglected during IT security implementation is the importance of securing your organization’s applications. During the development stage, security too often slips through the cracks. However, application security is imperative to protect your organization from security threats.

Your applications house vital, mission-critical data and any security breach could cause significant damage and disruption to your organization and its reputation. Still, security is often lost in the mad dash to accelerate application delivery.

For banks and other financial institutions, application security is even more critical and could become an area of vulnerability if left unaddressed.

With the need to keep track of all of these mind-boggling requirements, you might be wondering where to begin. For starters, security leaders should invest in an IR platform to effectively orchestrate and automate their response and cyber resiliency processes. CISOs must also prepare themselves — and their teams — to deal with myriad IT security issues, such as inadvertent insider threats.

To specifically address your organization’s potential application security challenges, register now for complimentary trials of IBM Security AppScan and IBM Application Security on Cloud. Find out how you can conveniently manage application security risk. IBM’s complimentary risk management e-guide also provides practical guidance to address application security risk more effectively. You can apply lessons learned in the e-guide to all of your current IT security initiatives.

Read the complete e-guide: Five Steps to Achieve Risk-based Application Security Management

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…