Blog

Tag: compliance

As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop.  Frequently users run reports to localize the data for further analysis.

Protecting this sensitive data when viewed on your computer or mobile screen is critical to protect the data from unauthorized use and ensure you aren’t subject to litigation and fines for violating privacy legislation.

Here are four use cases for using Screen Security to protect your sensitive data.
 

Protect PII and PHI on the screen

Allow employees and contractors to work with sensitive data while minimizing the risk of a data breach by sharing pictures of sensitive data with unauthorized users.

ERP, CRM, EMR, financial, and other business systems provide users with easy access to detailed personal and company information.  This information is not adequately protected against malicious or inadvertent screen capturing, especially with so many remote workers and people working from home.

Users can access sensitive data on web-based applications and share it with anyone.  They can capture the screen content with an image capture tool or by taking a picture with a phone.  This can lead to a data breach that violates privacy legislation and can lead to litigation, fines, and reputational damage.

Fasoo Smart Screen can block screen capture attempts from specific applications and websites by blocking access to sensitive content with a secure image warning users they are trying to copy sensitive data.  By allowing specific users to access applications while preventing them from capturing sensitive data, you minimize potential data breaches.  You can even forcibly minimize target applications when known capture tools are launched to deter further sharing of sensitive data.
 

Prevent pre-release of information in files and on internal websites

Stop data leaks by blocking screen capture attempts of product designs, media, and other sensitive information in files and on internal websites.

Internal websites showcase new products and other strategic information that employees and contractors need for planning marketing and sales activities.  Sometimes, these users take pictures of this information and use it for personal gain, send them to competitors, or share them on social media.

These actions may cause competitive pressures that can lead to loss of sales or market share if your competitors get ahold of them.  Since anyone with a phone can take a picture and share it, you need to deter this from creating a loss of competitive advantage.

Fasoo Smart Screen can block screen capture attempts of sensitive data on websites and apply visible watermarks to trace potential data leaks to the source.  Dynamic watermarks appear in certain applications and specific URLs showing the user’s name, IP address, and timestamp to deter screen capture.  By blocking screen capture tools on specific URLs, administrators can control sharing of sensitive data and even see image logs of attempted screen captures.
 

Protect sensitive data in call and contact centers

Minimize the risk of data leaks by applying a visible watermark to trace sensitive data back to call or contact center employees.

Customer service and contact centers use virtualized or remote desktops to control access to highly confidential information.  Workers could take a screen capture of PII or take a picture with their phone and share that information with unauthorized people outside the company.  This is especially risky with outsourced vendors who may have a high turnover of employees and contractors, and who allow many people to work from home.

Anyone with sensitive data on the screen can easily use a screen capture tool or take a picture of the screen with a phone and share it with colleagues and friends.  If this information becomes public, your company may be subject to fines and litigation.

Fasoo Smart Screen discourages screen capture attempts by applying visible watermarks with user and company information to trace potential data leaks to the source.  A customizable, visible screen watermark appears on websites, specific applications, and sensitive documents showing the user’s name, company name or logo, IP address, and timestamp.  Administrators can see image logs of attempted screen captures.  The visible watermarks deter leaking sensitive data since the user’s name is on the captured image.
 

Safeguard sensitive financial information in documents

Reduce the possibility of customer and supply chain loss by blocking screen capture attempts of sensitive financial information in files.

Employees and contractors share documents containing sensitive financial information as they work with customers and suppliers.  Someone may create a document and share it or run a report from a financial system.  The users could take a screenshot of the content and share it with anyone, either inside or outside the organization.

If a public company shares this data prematurely, it may disrupt markets and run afoul of SEC rules.  If competitors have this data, they may undermine your supply chain or make a run at your customers with discounts and other strategies to steal them.  Since anyone with a phone can take a picture and share it, you need to stop this from causing problems.

Fasoo Smart Screen can block screen capture attempts of sensitive data in documents and apply visible watermarks to trace potential data leaks to the source.  Dynamic watermarks appear in sensitive documents and deter users from sharing images of them since the user’s name, timestamp and other identifying information are visible.  If a user tries to take a screenshot of the document, an image appears over the content preventing the attempt.  Administrators can see image logs of attempted screen captures to help address potential leaks with users.

 

Learn more about how Fasoo Smart Screen can help you protect sensitive data shared on screens.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Image shows business team watching comparison chart presentationHow does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?

The first solution is a digital rights management platform to protect documents at scale in large organizations and along their supply chain.

The latter was developed primarily to protect the document ecosystem of MS Office plus a few third-party file formats.

 

Can you compare them at all?  It’s a common question we get, so let’s try.

*

“We’re looking at our options for securing documents across the whole organization, including our worldwide subsidiaries and supply chain. What advantages would we have from choosing Fasoo Enterprise DRM over Azure Information Protection (AIP) by Microsoft?”

I have to admit, each time we receive an email like that, we cringe a little.  It’s a bit like asking us to compare a Ford F-series pickup truck (America’s most popular car in 2020) and a Chrysler minivan (the best-selling minivan during the same year), on the grounds that they both have four wheels and can take a load.

We welcome such questions, though, because they give us an excellent opportunity to clear up some confusion. Read on for a few of our answers.

 

MS AIP vs. Fasoo comparison: Frequently Asked Questions (FAQ)  

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

 

Minivans keep us moving, but heavy-duty tasks require different means.
Photo sources: Dreamstime / Ford   

The confusion is understandable. The early and often niche-focused enterprise-level DRM solutions of the past were considered expensive, complex to deploy, and difficult to scale. As a result, many IT teams today still lack hands-on experience with modern DRM-based information protection capabilities at scale.

Fast-forward to 2021: Enterprise DRM solutions have matured significantly over the past decade. This has caused a considerable change in perceptions and is credited with the recent resurgence of enterprise DRM. 

Combined with the shift towards a data-centric information security approach, this development now has more information security leaders asking about the specific strengths of enterprise DRM. Here are five frequently asked questions involving Fasoo EDRM and AIP:

 

1. How many file formats does Fasoo support compared to AIP?

Microsoft file protection supports approximately 20 file types. AIP modifies file extensions for non-Office files types (txt to ptxt, jpeg to pjpeg, bmp to pbmp). This can cause issues with third-party applications and firewalls.

Fasoo supports more than 230 file formats, including a broad range of PDF files, plus any less common file format based on a niche application that a customer might use. All formats Fasoo supports can be opened in their native application. It does not modify file extensions, which means applications that rely on native file extensions for scanning or other purposes keep working. 

 

2. How does Fasoo EDRM protect CAD files in comparison to AIP?

AIP does not support protection of CAD files while in use. Fasoo protects CAD files while at rest, in transit, and in use.  By integrating directly with over forty different CAD applications, Fasoo EDRM allows users to interact with CAD files as they normally do while maintaining strong protection of the data.

 

3. How strong is Fasoo’s encryption compared to MS AIP?

AIP is limited to AES 128-bit encryption for Office files because Office 2010 cannot support AES

256-bit encryption. Other file types use 256-bit. Microsoft does not support encryption for Office 2007. It recommends upgrading to Office 2016 for ease of deployment and management.

Fasoo uses multi-layered encryption for all file types, including AES 256-bit encryption for all file payloads. This is important for compliance with certain regulations. Fasoo supports Microsoft Office 2007, 2010, 2013, 2016, 2019, and 365.

 

4. How do the document tracking and monitoring capabilities of Fasoo compare with those of MS AIP?

AIP currently has no centralized report portal for usage, adoption, or document activities. It also doesn’t provide a method for tracking AIP user licenses. Microsoft recommends editing the registry to remove access to functions from specific users designated as “consumers only” of AIP-protected files.

Fasoo provides centralized reporting on all document and user activities in a web-based console. Thresholds can alert administrators to anomalous and potentially suspicious activity. Fasoo EDRM also tracks all licensed users in a web-based, centralized console. 

 

5. How are Fasoo’s policy and exception management different from AIP’s?

This question comes up frequently because Microsoft AIP relies on individual users to make security policy decisions on how to protect documents. This approach requires IT and data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.

Fasoo can automatically assign file protection without user intervention. It provides centralized policy management and exception handling capabilities. This “file-centric, people-centric” approach allows the organization to determine who can access a protected document, rather than relying on the document creator to make that decision. Users with permissions are empowered to extend access rights and permissions to other users as needed.

*

Will it fit and grow with your mission?

In summary, most inquiries we get about Microsoft AIP vs. Fasoo boil down to a single general question: How does a dedicated solution for securing documents in large organizations stack up against an assemblage of document protection components designed with a focus on MS Office applications and file formats?

My answer, in a nutshell: It’s difficult to compare a Ford F-450 Super Duty truck and a Chrysler Pacifica minivan. To stay with the analogy for a moment, deciding between work truck and family van becomes much easier when we ask this question:

Will it fit the mission? 

###

Do you have questions about any of the items above or related topics?
Contact the Fasoo team here.

Fasoo shows unstructured data security at Gartner SRM 2018

This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on reducing business risk through improved cybersecurity that focuses on protecting data as users create and share it.  One area of concern to many organizations is how to find and protect sensitive data without impacting how employees and customers work.  Data protection regulations, like GDPR, are making things more complicated, but companies need to balance security with productivity.

At the Fasoo booth, a lot of people talked about issues with combining different technologies that still focus more on protecting the location of data rather than the data itself.  One executive from a manufacturing company talked about how her DLP system can tell them that sensitive documents were shared with external parties, but can’t really control their access or stop them from going out.  This is a common concern as companies use DLP, CASB and other technologies that can’t control access everywhere.

On Tuesday, June 5, 2018, John Herring, President & CEO of Fasoo, Inc. and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Unstructured Data Solutions Journey”.  John talked about the challenges of balancing data security and productivity and how many of the traditional approaches of securing the data perimeter haven’t met the hype.  By securing the data itself, you don’t need to worry about where it goes, since it’s always protected and tracked.  He presented how some of Fasoo’s customers have overcome the challenges with a holistic approach to discover, classify, protect and track sensitive manufacturing data and information subject to regulatory control using Fasoo Data Radar and Wrapsody.

Fasoo presentation on protecting unstructured data at GSRM 2018

Ron showed how in three quick steps with Wrapsody an organization can securely collaborate when creating a product quote while limiting access to specific people and making it easy to ensure they each have the latest version.  With a few clicks of a mouse a sales manager encrypted a spreadsheet, applied access control to it, provided an audit trail and automatically synchronized the latest version to a central location.  As the operations manager updates the quote and shares it with a customer, the process is easy for all parties to get the latest information and ensure the entire process is secure regardless of who has the document and where they open it.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with new regulations and how to protect sensitive data from both internal and external threats.  Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure.  A common strategy is to make the technology almost invisible to users unless they try to violate a security policy.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Ron Arden presenting on NYDFS compliance at RSS 2017Ron Arden, Executive Vice President & COO, Fasoo, Inc. spoke to security professionals and executives on how to meet the data-centric requirements of the NYDFS 23 NYCRR 500 cybersecurity regulations for financial services organizations at the 2017 Rochester Security Summit at the Rochester Hyatt in Rochester, NY.

Ron delivered a presentation entitled “Do You Have a Pathway to Data Security and Compliance?” as part of the risk and compliance track during the October 19 – 20, 2017 event.  With deadlines approaching for some of the more challenging components of the NYDFS cybersecurity regulations, timing was right as Ron reviewed results from the recent Ponemon Institute survey on NYDFS readiness and Fasoo’s approach to help meet the technical challenges of protecting unstructured data or data stored in files.  This is an area that most organizations are struggling with, since about 80 percent of their information is not in databases, but is in office documents.

Conversations during the presentation ran from concerns about meeting regulatory compliance to those trying to protect intellectual property from walking out the door.  One financial services company is in process of locating and classifying all files trying to decide what is sensitive and what is not.  Ron suggested thinking about all files as sensitive and encrypting them upon creation.  If you spend a lot of time determining what is and what is not sensitive, you may miss something and cause more problems.  If you need to remove the encryption to share with someone externally, it’s easier to make an exception for that rather than expecting users to decide on the sensitivity of a file.  That causes breakdowns in workflows and burdens users unnecessarily.  Plus you may not meet the NYDFS requirement to encrypt all nonpublic information.

Bill Blake, Senior Vice President of Fasoo, and Ron joined security partner Brite Computers in a booth during the vendor focused times during the 2-day event.  Brite and Fasoo have had great 
RSS 2017 after party
success over the years bringing security technology and a customer-focused approach to solving business problems to numerous customers in a variety of industries.  The initiatives helping customers become compliant with the NYDFS regulations is the just latest.

Brite also had an RSS after party on Thursday evening to meet with customers and partners in a more relaxed setting.  It was held in the newly renovated Center City Terrace & Lounge and allowed everyone to take advantage of the unseasonably warm weather.  It was great to get to meet a lot of Brite’s current customers and talk to them about how Fasoo can help them address many of their security and compliance issues.

The event this year showed the continuing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.  Complying with regulations is important, but the main goal of these regulations is to protect sensitive data from leaking or being stolen by unauthorized people.  Stopping this has become a main focus of many CISOs and boards.

Fasoo Shows Wrapsody Productivity and Security Platform at Gartner Symposium 2017Fasoo demonstrated the latest version of the Wrapsody productivity and security platform at the Gartner Symposium/ITxpo 2017 from October 2 – 5, 2017 in Orlando, FL.  There was a lot of interest from CIOs, other executives and security professionals as many are struggling with how to secure sensitive information while also providing enhanced productivity for documents or unstructured data.

This year’s Symposium continued Gartner’s focus on helping organizations transform into digital businesses, which is far more than just automating processes.  It includes a holistic change of thinking, where data is the driver of growth and secure business processes are a given.  Since documents make up about 80% of the information that drives business processes, simplifying secure collaboration with documents while enhancing governance and compliance are key components of digital business.

On Tuesday October 3, 2017, John Herring, President & CEO and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Content Services and Security Platform for Digital TransformationJohn talked about using John Herring presents at Gartner Symposium 2017the power of the Wrapsody file-centric security and information management platform to simplify and enhance collaboration as businesses grow.  The key to Wrapsody is a unique, persistent file ID that follows a document and allows secure sharing, distribution and tracking, and version control at the data source across all locations.  It allows organizations to address issues from risk management to business performance.  Ron followed John with an example of how Wrapsody enabled a company to quickly and easily create its budget for next year.  Since all collaboration and interaction was around the budget spreadsheet, it allowed all stakeholders to update their sections easily without having to search for who did what when and where is the latest copy of the document.  Wrapsody also has great analytics that allows different constituencies in the organization to track and manage security, compliance, governance and productivity.

During the course of the Symposium, a lot of attendees and analysts came to the Fasoo booth to understand how to break through the problems of traditional file shares and document repositories.  While those systems are great for organizing information, they are challenging when users have to collaborate outside the system and move files from repository to desktop to email and to the cloud.  Tracking and managing documents regardless of location and ensuring that everyone has the current version is a constant battle that affects productivity, governance and security.  Wrapsody simplifies this by bringing the process down to the file level and automatically synchronizes files as users create and work with them.

A number of attendees were also interested in how Fasoo can provide more granular permission controls with the Wrapsody platform for those scenarios that demand greater security.  When a user creates a Wrapsody document, the user assigns View or Revision permissions to those people that need to access the document.  The document is encrypted and allows collaboration through the organization and beyond.  If a user wants to further control an authorized user’s ability to Print, take a screenshot, run a macro or extract data to an unprotected environment, those permissions can be granted.  One CIO commented that she liked that flexibility, since some documents are more sensitive than others and will require greater controls.

With companies trying to improve productivity and comply with numerous new regulations, such as GDPR in Europe, Wrapsody provides access control and an audit trail of wherever the document has traveled. Document owners, department heads and security administrators can see how each document has been used through a graphical dashboard.  Since documents are always protected and tracked, regardless of location, complying with new cybersecurity regulations is a lot easier.  One CIO from a government agency liked the analytics, since he said that understanding what information he has and who is using it is a major challenge to security and data governance.

Of course no Gartner Symposium would be complete without a visit to an Orlando theme park.  This year’s attendees got to enjoy an evening at Universal Studios with great food, rides and a lot of fun.  Having a drink at an Irish pub or going on a roller coaster are great ways to meet new people and be a kid again.  It was a nice balance with the seriousness of the main event.

Fasoo Moderates Panel on Cybersecurity and Your CompanyBill Blake, Senior Vice President and CCO (Chief Customer Officer) of Fasoo, moderated a panel discussion on Cybersecurity on September 13, 2017 at Harter Secrest & Emery LLP in Rochester, NY.  The event entitled Cyber Security & Your Company – What You Need to Know Now featured industry leaders and experts from The Bonadio Group, Fasoo, Lawley, and Harter Secrest & Emery LLP discuss how, when, and why to plan for a cyber attack.

The event was part of a continuing dialog with organizations on the needs for stricter cybersecurity controls in the wake of the ever growing threat of data breaches and threats to business operations.  Recent data breaches at Equifax, Verizon and others show that any organization is vulnerable to external attacks or insider threats.  Regulations and legislation, such as the New York NYDFS 23 NYCRR 500 cybersecurity regulations and GDPR in Europe, are causing businesses to improve their security posture to protect business and customer information.

Paul Greene, an attorney with Harter Secrest & Emery LLP, started the event with some opening remarks and Bill Blake got right into the discussion questions which hit on a number of cybersecurity topics, including how to prepare for a cyber attack, the role of insurance in your incident response plan and how the newest cybersecurity regulations and laws affect your business.

High on the list was a discussion of the recent Equifax data breach and how it affects businesses and consumers.  This lead to a discussion and questions about risk assessments and how they are critical to improving your cyber security posture.

Carl Cadregari, an Executive Vice President at The Bonadio Group, talked about the frequency of doing a risk assessment.  This is not something you can do once.  The threat landscape is constantly changing and the needs of your business are evolving, so you need to continually assess your risk and the best ways to mitigate it.  Carl said that finding your most sensitive data and encrypting it is one of the best ways to ensure you are protected.  If a hacker gets encrypted files, they won’t be able to use them.  In many cases this may not be considered a data breach, so you don’t need to report it.

While most of us think about technical solutions, legal ones are as important as well, since a cybersecurity event is not a breach until your attorney says it is.  Paul Greene mentioned “It’s important to involve counsel in your Risk Assessment process because it allows you to have a full and frank discussion about any shortcomings you may find, without worrying that those discussions can be used against you.  That’s the protection of the attorney-client privilege, it allows for that “oh [expletive]” moment when you discover something that may be really bad, without the worry that those communications will be used against you.”

Reggie Dejean, a Specialty Insurance Director from Lawley Insurance, talked about the crucial role of insurance in any cyber compliance program.  He said, “Cybersecurity insurance can help mitigate the financial loss that occurs when, not if, a data breach happens to a company. These policies can help cover some of the costs which include forensics, credit monitoring, notifying those affected, public relations and more. In today’s world, any size company is susceptible to a cyber breach, so cyber intrusion insurance can help reduce your risk and costs.”

Bill Blake brought up printing as a risk that many organizations don’t think about.  There tends to be a focus on digital assets, but if someone prints sensitive information, there is still the same liability when it comes to regulation and the law.  Numerous audience members asked if protection of sensitive data extends to paper files and the general consensus is that it does.  Preventing printing to minimize risk is clearly a good strategy when applicable, but masking sensitive data and applying visible watermarks are also good strategies to help eliminate sensitive data on paper and allow you to trace the information back to the person that printed it.

Another big discussion was around risk in the supply chain.  An audience member from a bank said they share a lot of information with Equifax and was wondering if the bank is liable because of the Equifax data breach.  Under the NYDFS 23 NYCRR 500 cybersecurity regulations an organization is responsible for the security of data it shares with its supply chain.  Whether the bank needs to inform authorities of a breach in its supply chain is unclear, but it is ultimately responsible for its data.  Third and fourth party protection will come from both technical and legal remedies.  You need air tight legal agreements to mitigate your risk, but encrypting and controlling your shared information is the best solution to supply chain risk.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that companies should focus on protecting their sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.

Fasoo helps customers comply with GDPR and NYDFS 23 NYCRR 500This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on managing and mitigating risk to a business and how to  improve cybersecurity through data-centric protection.  One area of concern to many organizations is how to comply with some of the newer cybersecurity and data protection regulations, like GDPR, as governments are trying to improve customer and business data security.

With all the recent malware, ransomware and data breaches, there was obviously a focus on how to prevent harm to one’s business.  As businesses move more into the realm of digital business, the concept of trust is becoming a larger issue.  If your customers do not trust you with their data, they will be less likely to do business with you.

On Tuesday June 12, 2017, John Herring, President & CEO of Fasoo, Inc., Dr. Larry Ponemon of the Ponemon Institute, and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Do You Have a Pathway to Data Security Compliance?”John talked about the challenges of complying with the new NYDFS 23 NYCRR 500 cybersecurity regulation that affects any business regulated under banking, insurance and financial services laws in New York.  This applies to organizations doing business in NY and also affects third party service providers of those organizations.

John Herring, Larry Ponemon and Ron Arden present at Gartner summitDr. Ponemon presented recent research from his study “Countdown to Compliance: Are financial services firms prepared for NYDFS 23 NYCRR 500?”.  Some of the key findings from the survey include:

  • 60 percent of respondents believe this regulation will be more difficult to implement than GLBA, HIPAA, PCI DSS and SOX
  • Over 50 percent do not have a formal cybersecurity program
  • 68 percent believe that the inability to know where high value data assets are located will pose a significant challenge

Ron discussed a six step plan to encrypt and control unstructured data or data in files that is a key component of meeting the NYDFS, GDPR and other data protection and privacy regulations.  The session had about 150 people in it and many of them asked specific questions about who is affected, how do you work with your service providers to ensure they are protecting your sensitive data, and how to really provide complete control of your information regardless of its location.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with these new regulations and how to protect sensitive data from both internal and external threats.  Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

One interesting presentation by John Girard and Brian Reed from Gartner focused on information-centric security practices and the best ways to protect your business information.  While Gartner and most of the security industry recommends a layered approach to security, when it comes to protecting information in files, John and Brian said that EDRM is the only solution that can really protect it.  This is an important recognition that in the game of information protection and thwarting malicious or inadvertent attempts to steal sensitive data, perimeter solutions cannot meet the requirements as well as EDRM.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance EventFollowing our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017.  A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.

Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”.  Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers.  Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey gave great insight into the readiness of financial services organizations to comply with the new regulations.  One key statistic from the survey that picked up on Jennifer’s discussion on third party liability is that only about half the organizations think they can meet the two-year transitional period to implement a third-party services provider security policy.  One member of the audience mentioned that they may have to switch some service providers who can’t meet the requirements.  The discussion also talked about fourth-party service providers, since you as a covered entity can’t know who your service providers use for their business.  This gets complicated very quickly.

Dr. Ponemon’s keynote was followed by a panel discussion moderated by Kevin Cox from Brite Computers on meeting governance and security aspects of the regulation.  The panel included Dr. Ponemon, Jennifer Beckage, Dave Hansen from Freed Maxick, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  Based on a number of questions from the audience, the panel had a lively discussion on incident response.  A key item is to engage your legal and insurance providers immediately if you suspect a negative cyber event.  How you characterize an event and your response to it is not only a technical and process issue, but a legal one too.  An event is not considered an incident until an attorney says so.

One key discussion was on data retention and protection.  Since the regulation talks about encrypting and limiting access to all nonpublic data, one way to minimize risk is to delete information that is no longer needed by the business.  If you don’t have it, you don’t need to protect it.  This not only helps with general security hygiene, but also helps satisfy other regulations, since eliminating unneeded information reduces a company’s general liability.  As in the earlier discussions, this lends itself to protection and revoking access to nonpublic information you share with your service providers.

Fasoo wants to thank all the Buffalo NYDFS 23 NYCRR 500 roadshow sponsors for all their support.  It was a great event and everyone said that got a lot of great information that will help them as they strive toward meeting the first deadline of August 28, 2017.

Ponemon Institute
Brite Computers
Lawley Insurance
Phillips Lytle LLP
Freed Maxick

Rochester NYDFS Pathways to Compliance Event a Big SuccessThe first of the NYDFS 23 NYCRR 500 roadshow events in Rochester, NY on May 16, 2017 was a great success as numerous people from local financial services companies participated in a great forum to help organizations understand how to meet the new cybersecurity regulations that went into effect on March 1, 2017.

The event was held at Harter Secrest & Emery LLP in Rochester and started what will be a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging group of regulations.

The event started with an “Overview of 23 N.Y.C.R.R. Part 500 and Key Legal Challenges” by F. Paul Greene of Harter Secrest & Emery LLP.  Paul focused on many of the legal issues around compliance, including what is a covered entity.  Any organization regulated under the Banking, Insurance or Financial Services law is subject to this regulation.  This includes foreign and out of state businesses that operate in New York and most likely applies to the whole organization, unless the organization has a segregated IT infrastructure.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current posture of readiness to comply with the new regulations.  Some of the more interesting results are that most organizations do not believe they can meet the timelines for compliance, over 70 percent think a lack of knowledgeable personnel will hamper their efforts and most are very concerned about how to implement effective security policies for third party service providers.

Dr. Ponemon’s keynote was followed by a Panel Discussion – Pathway to Compliance – that was moderated by Kevin Cox from Brite Computers.  Panel members included Dr. Ponemon, Paul Greene, Reg Harnish from GreyCastle Security, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  There was a lot of discussion around doing a risk assessment and understanding what nonpublic information assets you have and where they are.  This lead to insurance questions and how best to mitigate risk related to business continuity following a data breach.  While insurance is critical to recovery from loss, it is not a substitute for a good cybersecurity program.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that the regulation is intended to protect companies and their customers by protecting sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.  That is the focus needed to improve the cybersecurity posture at each covered entity.

Fasoo wants to thank all the Rochester NYDFS 23 NYCRR 500 roadshow sponsors for all their support in making it an outstanding event.

Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance

Fasoo Sponsors NYDFS 23 NYCRR 500 RoadshowOn March 1, 2017 new sweeping cybersecurity regulations from the New York State Department of Financial Services (NYDFS) took effect.  The NYDFS 23 NYCRR 500 regulations affect thousands of regulated financial institutions that do business in New York as well as thousands of Third Party Service Providers that support those financial institutions, world-wide.  The regulations add to the complexity that financial institutions already face in developing and implementing their comprehensive information security programs.  They also bring with them challenges and uncertainty as organizations implement new tools and practices designed to protect customer and company information.

In response to this sea-change, Fasoo is sponsoring a roadshow across three major markets in New York (Rochester, Buffalo and NY city) to help affected organizations comply with the new regulations.  The highlight of the roadshow will be a keynote by Dr. Larry Ponemon of the Ponemon Institute reviewing a study sponsored by Fasoo to gauge industry readiness and reaction to the new regulations.

The roadshow brings together experts in cybersecurity, insurance, law, corporate governance, risk management and compliance to help audience members prepare for implementing and managing these new regulations that will surely expand to other states and industries.

If you are in one of these cities during the week of May 15, 2017, please join Fasoo and its partners (see below) for one of these exclusive events.

Rochester, NY – May 16, 2017  8:00 AM – 10:00 AM
Harter Secrest & Emery LLP, 13th Floor
1600 Bausch & Lomb Place
Rochester, New York 14604
To learn more and register, please click here.

Buffalo, NY – May 17, 2017  8:00 AM – 10:00 AM
Phillips Lytle LLP
One Canalside
125 Main Street
Buffalo, NY, 14203
To learn more and register, please click here.

New York, NY – May 19, 2017 8:00 AM – 2:00 pM
PwC
300 Madison Avenue
New York, NY 10017
To learn more and register, please click here.

NYDFS 23 NYCRR 500 roadshow sponsors
Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance
Phillips Lytle LLP
Freed Maxick
PwC
ForgeRock
Securonix

New York Issues Final Version of Cybersecurity RegulationsThe New York State Department of Financial Services (NYS DFS) just released the final version of its new cybersecurity regulations that affect organizations doing business under New York banking, insurance and financial services regulations.  The new regulation is designated 23 N.Y.C.R.R. Part 500, and goes into affect on March 1, 2017.

Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned that the main changes in the regulation from earlier drafts is the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach.  Rather than applying a one-size-fits-all approach, the NYS DFS is allowing Covered Entities to define the risk associated with their nonpublic information before deciding on the best way to protect it.  Questions remain, however, concerning the scope and reach of these regulations.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” New York Governor Andrew M. Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

While the regulation covers everything from protecting nonpublic information to reporting on cybersecurity events, the risk based approach to compliance will most likely affect encryption, access control, audit and reporting sections of the regulation.  While most organizations agree they need to improve their cybersecurity, many are not sure what information they need to protect and how to protect it.

Part of the challenge is understanding what you have and where it is.  While many financial organizations know what is in a database or other structured information system, there are documents containing nonpublic information everywhere.  As most organizations go about their daily business, employees and contractors create documents with sensitive information and share them through email, file sharing systems, instant messaging and many other methods.  These end up on mobile devices, laptops, servers, cloud repositories and external systems.  Finding them and determining their content is step one in understanding how to protect them.

Another area not completely defined, per Paul Greene, is how Covered Entities will report material Cybersecurity Events within the 72-hour window contained in the regulations.  DFS does not yet have a system to do this.  It might be a secure reporting portal or other online system, but as of today this is not in place.

The first deadline for compliance is 180 days from their effective date.  That is August 28, 2017.  At that time financial organizations are subject to certain parts of the regulation, with the more difficult areas allowing 12 and 18 months for compliance.  I assume by August the DFS will have a way to administer the regulations.

If you are regulated in New York state by this regulation, you need to begin the process of compliance to improve your cybersecurity posture.

Categories
Book a meeting