New York reported a record high number of breaches last year. New York reported a record high number of breaches last year, just after a new set of cybersecurity regulations went into effect in the state.“In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history,” said Attorney General Eric Schneiderman in a statement released last week. “The total annual number of reported security breaches increased by 60% and the number of exposed personal records tripled.”According to the report, the stolen data consisted overwhelmingly of Social Security numbers and financial account information, and hacking was the leading cause of the breaches. The 1,300 breaches involved the private data of 1.6 million state residents, and 81 percent of the breaches involved the loss of Social Security numbers or financial information.The largest breach involved Albany-based Newkirk Products, which provides ID cards for health insurance plans. The next-largest breach involved HSBC Bank. The state started requiring businesses to report breach data in 2005. This report doesn’t yet reflect the impact of the new cybersecurity regulations that went into effect at the start of March for financial institutions doing business in the state.However, it shows that New York saw the problem was getting worse, said Brad Keller, senior director of third party strategy at Prevalent. “I suspect that New York was working on these regulations because they were sensing, seeing or hearing that there was an increase in cybersecurity incidents,” he said. “The fact that the numbers support their actions tells me that the New York state regulators are keeping a pretty good finger on the pulse of what’s happening.”He pointed out that the new requirements, which affect financial firms doing business in the state, require companies to take extra steps to oversee the security at their vendors and business partners.The Newkirk breach was responsible for nearly 50 percent of the records lost last year.The new regulations go beyond simple cybersecurity best practices when it comes to third-party security, Keller said.“A senior executive must be responsible for a third-party program,” he said. “It really reinforces that this third-party risk is a board-level matter.”And it means that companies need to ensure that their security standards apply to their vendors as well. “What I’ve been advising people is, as they go about their task of establishing cybersecurity controls, they need to be thinking about how they’re going to impose down on their third-party service providers,” he said. “They really do need to be in sync.”Smaller and mid-sized companies need to be particularly vigilant, he said, since they are more likely to outsource more of their critical processes.This is particularly important for financial institutions, he added.“If I’m a hacker, it’s reasonable for me to expect that it will be harder to break into a top-five financial institutions, than into a medium-sized company that provides services to to financial institutions,” he said. “And if I get into a vendor that providers access to twelve banks, then I get access to twelve banks’ data as opposed to one.” Keller said that he doesn’t expect the number of breaches to go down immediately as a result of the new regulations.“With all due respect to security professionals, I think that it’s reasonable to expect reported incidents to go up, only because of the time it takes to go in and make substantial improvements to security controls,” he said.To add a comment for this story, head to our Facebook page. Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe