NEW YORK CYBERSECURITY RULES SET THE PACE by linking the bank’s cybersecurity policies with the various cybersecurity systems employed by the institution. By unifying and centralizing threat detection, investigation, reporting and compliance, banks can optimize their cybersecurity defenses. Furthermore, having real-time intelligence about the latest threats and tactics can ensure a higher level of defense. To re-duce the frequency of cyberattacks and mitigate the eff ects of a breach, sharing threat data with other institutions, regulators and infrastructure providers is crucial. Community fi nancial institutions that lack suffi cient IT staff can subscribe to threat intelligence feeds and leverage cyberthreat data shared by other security professionals to gain the actionable intelligence needed to protect their institution. Banks must be aware as cyberattacks evolve and new threats emerge. Th is also means that a one-time assessment is not enough to prevent an attack. Instead, banks should constantly evaluate and enhance their cybersecurity defenses, which can be accomplished in a cost-eff ective manner. For banks in rural areas with a limited IT staff , where it is not feasible to hire new talent, turning to an outside team of security experts may be the best op-tion. Leveraging an independent third party to check the system and report any necessary improvements can also be helpful. No fi nancial institution, regardless of size, is exempt from a potential cyberattack. Th is, combined with the advent of new cy-bersecurity regulations like those proposed by the New York State Department of Financial Services (see sidebar), means that the need for eff ective cybersecurity is at an all-time high. Community fi nancial institutions should stop adding more point solutions and start taking control over their cybersecurity program by unifying threat detection, investigation, reporting and compliance. Doing so allows banks to organize, align and enhance their existing cy-bersecurity defenses to thwart the latest tactics of cybercriminals without overstretching their budget and IT staff — particularly important for community fi nancial institutions. Sean Feeney is CEO of DefenseStorm, a security data platform that watches everything on a fi nancial institution’s network and matches it to its policies. For more information, visit www.DefenseStorm.com. Cybersecurity requirements implemented in March by the New York State Department of Financial Services are being hailed as a model other states follow. By the end of August, covered entities were expected to meet the following requirements, according to a Technology Newsfl ash on the website of global law fi rm White & Case: — Cybersecurity Program (and Documentation). Develop and maintain a cybersecurity program designed to protect the confi den-tiality, integrity and availability of the covered entity’s information systems. Th is program must be based on the entity’s risk assessment which, according to the rules, is not due for a year. Signifi cantly, all documentation and information relevant to the program must be made available to the superintendent upon request. — Cybersecurity Policy and Incident Response Plan. Develop and maintain a written cybersecurity policy and incident response plan. Th e policy also must be based on the risk assessment. — CISO (Chief Information Security Offi cer). Designate a qualifi ed individual for overseeing and implementing the cybersecurity program and enforcing cybersecurity policy. Th e person does not need a CISO title, and a third party can be used. — Continuously Trained Cybersecurity Personnel. Use qual-ifi ed personnel (including third-party service providers) that maintain suffi cient current knowledge and training to manage changing cybersecurity threats and countermeasures. — Limit Access Privileges. Also to be based on the risk as-sessment, companies are expected to limit user access privileges and to periodically review those privileges. — Notice of Cybersecurity Events to the Superintendent. Covered entities must start notifying the NYDFS no later than 72 hours after it determines an act or attempt, success-ful or unsuccessful, was made to gain unauthorized access to, disrupt or misuse an “information system” (separately defi ned) or the information stored on it, if the event (a) requires notice to a government body, self-regulatory agency or any other su-pervisory body, or (b) has a “reasonable likelihood of materi-ally harming any material part of the normal operation” of the covered entity. THE UNIVERSAL BANKING EXPERIENCE BY JAMES GEESLIN AND LINDSAY GREEN T he rapid rate of technological advancements has fi nally caught up to the banking industry. Not only can consumers experience banking technology enhancements via their mo-bile devices, but technology has also demanded upgrades to NEXT MONTH: Life After EMV Bank Success Secrets the bank lobby experience as well. Financial institu-tions should concentrate on enhancing their lobby ex-perience, as there are fewer opportunities to make an impact on customers in the fi nancial center due to declining lobby traffi c for routine transactions. In fact, there really isn’t much need for many cash drawers or traditional SMARM banking is a universal banker model of serving customers.