Listen to this article
Not long after Maria Vullo was named the “top cop” on Wall Street, she realised that she had to get a proper grip on cyber security.
Within a few weeks of her nomination in January 2016 as the next superintendent of New York’s Department of Financial Services, thieves raided the Bangladesh central bank’s account at the New York Federal Reserve and made off with $101m.
LinkedIn and Tumblr then revealed big breaches of their own, before Yahoo announced that at least 500m users had been hacked. Then came the presidential election, which stirred reports that Russia-linked operatives had stolen emails from the Democratic campaign.
“All of these events collectively . . . really made it imperative that we do something,” says Ms Vullo, a former litigation partner at law firm Paul Weiss.
She took office in June 2016 and by February 2017 the DFS had produced a cyber security regulation, the first of its kind across the nation. It required hundreds of banks, insurers and other financial institutions to vouch for the strength of their defences against cyber attacks.
Among the minimum requirements: the appointment of a chief information security officer, reporting to the board; certifications of compliance by a senior officer; and an undertaking to notify the DFS of any serious breaches within 72 hours of their discovery.
“It feels like they’re being very, very public in underscoring the importance of cyber security for the sector,” says Jim Halpert, a Washington-based partner at law firm DLA Piper. “They do not want to have a major event on their watch without having made a strong statement.”
One important deadline came in February this year, when companies supervised by the DFS had to submit their first certification of compliance with large chunks of the code. That is everyone from a $10m-in-assets broker to Goldman Sachs, which has a $917bn balance sheet.
“Our financial markets are at great risk,” says Ms Vullo. “They’re obviously part of a global network where risk could be systemic and interconnected, both from a financial point of view and a consumer privacy point of view.”
Analysts say the rules from the DFS, an agency created after the financial crisis through the merger of the state banking and insurance regulators, go several steps beyond the framework adopted by the Federal Financial Institutions Examination Council. The FFIEC is supposed to promote uniformity in the supervision of banks and other financial institutions by the likes of the Fed, and the Office of the Comptroller of the Currency.
Even for the biggest companies, it can be a battle to stay one step ahead. One chief information security officer at a global bank in New York, speaking on condition of anonymity, says he detects an attack on his systems at least every 10 seconds. He identifies four types of adversary: criminals, nation-state actors, “hacktivists” (those whose aim is to disrupt and bring attention to a cause) and trusted insiders, often acting out of a sense of a grievance.
Ms Vullo says she wanted to stir a sense of urgency. One way of doing that was to require a board-level director or a senior manager to sign on the dotted line, attesting to the effectiveness of the company’s controls. Previous guidance was aimed a few notches lower, at the chief compliance offer. “You need people with the purse strings involved in the process,” she says.
Ms Vullo also wanted to upgrade requirements around the CISO. The role does not have to be a full-time one, but the person needs a proper grasp of the particular risks the company is facing, she says. Some have wondered whether that was the case at Equifax, the credit-reporting agency, which admitted last September that the personal records of 145.5m US consumers could have been compromised during a raid that went on for two and half months.
The former chief security officer at the Atlanta-based company, Susan Mauldin, has a bachelors degree and a master of fine arts in music composition from the University of Georgia. Her professional profile on LinkedIn, since removed, made no mention of any qualification in technology or security. “We do require [CISOs] to be qualified and responsible for maintaining compliance,” says Ms Vullo.
She says she will know if the new code is working if companies can provide evidence that they have successfully thwarted intruders — and that they are suffering fewer internal incidents, such as people clicking on a “phishing” email purporting to be from a colleague.
Only then, she says, will the programme have done its bit to bolster the safety and soundness of the state’s financial services industry.