New York Issues Final Version of Cybersecurity RegulationsThe New York State Department of Financial Services (NYS DFS) just released the final version of its new cybersecurity regulations that affect organizations doing business under New York banking, insurance and financial services regulations.  The new regulation is designated 23 N.Y.C.R.R. Part 500, and goes into affect on March 1, 2017.

Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned that the main changes in the regulation from earlier drafts is the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach.  Rather than applying a one-size-fits-all approach, the NYS DFS is allowing Covered Entities to define the risk associated with their nonpublic information before deciding on the best way to protect it.  Questions remain, however, concerning the scope and reach of these regulations.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” New York Governor Andrew M. Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

While the regulation covers everything from protecting nonpublic information to reporting on cybersecurity events, the risk based approach to compliance will most likely affect encryption, access control, audit and reporting sections of the regulation.  While most organizations agree they need to improve their cybersecurity, many are not sure what information they need to protect and how to protect it.

Part of the challenge is understanding what you have and where it is.  While many financial organizations know what is in a database or other structured information system, there are documents containing nonpublic information everywhere.  As most organizations go about their daily business, employees and contractors create documents with sensitive information and share them through email, file sharing systems, instant messaging and many other methods.  These end up on mobile devices, laptops, servers, cloud repositories and external systems.  Finding them and determining their content is step one in understanding how to protect them.

Another area not completely defined, per Paul Greene, is how Covered Entities will report material Cybersecurity Events within the 72-hour window contained in the regulations.  DFS does not yet have a system to do this.  It might be a secure reporting portal or other online system, but as of today this is not in place.

The first deadline for compliance is 180 days from their effective date.  That is August 28, 2017.  At that time financial organizations are subject to certain parts of the regulation, with the more difficult areas allowing 12 and 18 months for compliance.  I assume by August the DFS will have a way to administer the regulations.

If you are regulated in New York state by this regulation, you need to begin the process of compliance to improve your cybersecurity posture.

Cyber Security Legislation Will Change the Face of BusinessAs 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security.  At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity.  These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on March 1, 2017 (changed from January 1) that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Covered entities have to certify they meet the first set of requirements by February 15, 2018 and annually after that.

Other key requirements of the NYS-DFS cybersecurity regulation and others is to maintain audit trails of sensitive data, including logs of access to critical systems.  While it is important to understand who can and has accessed an information system, it is more important to control and audit the access to the sensitive data inside.  Encrypting documents and controlling who can access them regardless of the user’s or file’s location is key to protecting sensitive data and meeting these regulations.  This ensures that only authorized people inside and outside of the organization can access the information.

One thing to remember is that most regulations prescribe the minimum an organization must do to comply.  As we have seen in recent years, complying with a regulation does not mean you are safe and your data is secure.  You need to think about protecting, controlling and monitoring all sensitive data inside your organization to ensure you meet regulations but also that you maintain your business.

It is clear that regulators and legislators are focused on raising the bar for cybersecurity programs and to ensure the public that nonpublic information remains private.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to enhance your data security to meet new regulations and protect your business.

Top Four Cyber Security Predictions For 20172016 has been an epic year for cyber security and data breaches.  From recent hacks at Yahoo and LinkedIn to problems at the FDIC and stolen intellectual property from Glaxo-Smith Kline, this year has been a boon for data breaches large and small.

The past year has shown us that malicious attacks and inadvertent mistakes continue at an alarming rate and the consequences are legal, financial and brand reputation woes.

So how will 2017 fare?  Will we see more of the same or a change in the cyber security landscape?

Here are four security predictions for 2017.

1. Cyber Security Legislation will Change the Face of Business

In the US, cyber security legislation is already strengthening as states and the federal government are trying to force businesses to improve their security posture to prevent the next data breach.  One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on January 1, 2017 that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt non-public information.  Executives will be held personally responsible for failure to meet these requirements, so this will definitely cause some changes.

Europe is implementing the General Data Protection Regulation (GDPR) act and I can see other countries, including the US federal government, move toward more serious legislation.  As more governments realize there is a national security risk from these cyber attacks, they will implement tougher rules to help prevent the leaking of sensitive data.


2. Hackers Will Attack the Supply Chain

If a hacker wants to get access to sensitive information from a large company, the easiest approach is to go after a weak link in the supply chain.  This may be a service provider, an attorney or a small business partner.  The large company may have adequate security controls for data that is inside the company, but what about when it leaves the company?  Does the business partner have adequate security controls?

Unless organizations are protecting the data itself, there is no guarantee that it will remain secure and only accessible by an authorized user.  Until organizations persistently protect information at the data level, we will continue to see hacks on the supply chain, including more ransomware attacks, since hackers will exploit the weakest link in the chain.  That weak link may be a trusted insider who inadvertently clicks on a phishing email or accidentally sends sensitive information to the wrong email.


3. Organizations Will Impose Stricter Data Security on Contractors and Advisors

To meet stricter regulations and comply with data governance initiatives, organizations in 2017 will place stricter controls on how internal and outside partners access data and collaborate.  Internal contractors and other advisors are typically treated as insiders who have access to sensitive data.  These trusted insiders can pose serious security threats, since they do not work for the company and may not be subject to the same security standards as an employee.  Based on the recent Ponemon Institute survey Risky Business: How Company Insiders Put High Value Information at Risk, 70% of organizations do not know the location of confidential information and 73% believe they lost confidential information in the past 12 months.  There is a major risk that a contractor or advisor could steal intellectual property or other high value data and take it with them to their next client.


4. Enterprises Will Adopt a Data-Centric Security Approach Over Perimeter Security

Sensitive data moves in and out of organizations everyday and the volumes will only increase in 2017.  Globalization and an increasingly mobile workforce increase the risk of this data getting into the wrong hands.  While many organizations focus on securing the network, servers and endpoint devices, the data itself is what matters most.  This is especially true as more employees use a combination of work and personal devices and consumer versions of Enterprise File Synch and Share (EFSS) systems.

Organizations will shift their focus from protecting the perimeter to protecting the data itself by encrypting it and applying dynamic security policies that impose granular user access controls so that only authorized users can access it.  These security policies will travel with the data regardless of location or device and ensure that the enterprise is always in control of it, including having a comprehensive audit trail of all access.  These measures will allow executives, shareholders and other stakeholders to feel confident that business can continue without interruption and meet the governance needs of its constituents.

Ron Arden shows auditors how to protect against cyber threatsRon Arden, Executive Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) at the Hilton DoubleTree Hotel in Rochester, NY on December 7, 2016.  Ron delivered a presentation on “Defending Your Intellectual Property Against Cyber and Insider Threats ” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and cyber attacks.

With the changing regulatory climate and the constant news on data breaches and cybersecurity incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  Ron spoke about the new NY State Department of Financial Services (DFS) cybersecurity regulations that require all organizations registered as banks, financial services companies and insurance companies in the state of NY to meet new cybersecurity rules.  A major one is to encrypt all non-public data, which will require major changes in policy and technology.

A number of attendees came up after the presentation and asked about some of the research Ron presented from the recent Ponemon Institute study “Risky Business: How Company Insiders Put High Value Information at Risk“.  One gentleman from a bank commented that finance departments are less likely to expose sensitive information than sales or HR, which may be related to finance professionals having agreed to certain standards of data sharing as part of their professional certifications or degrees.  While that is certainly a possibility, there is still the risk of carelessness, which was cited as the number one cause of data breaches.

Another person asked about protecting information in the supply chain, since third party risk assessment is becoming a bigger issue with regulators.  The HIPAA laws and others make a company responsible for sensitive information shared throughout the supply chain, so a company needs to worry about the security of its suppliers and partners.

As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  During the keynote presentation by Paul Greene, an attorney from Harter Secrest & Emery LLP, there was discussion on how best to meet what can be either vague or overlapping cybersecurity regulations.  Paul talked about recent Federal Trade Commission (FTC) rulings that stipulate that a non-compliant company must have an external cybersecurity audit every 2 years, for the next 20 years, to prove they meet strict cybersecurity guidelines.

There was also discussion about security versus compliance, which is a constant battle.  An auditor can show a company meets HIPAA, SOX, GLB, PCI and many other regulations, but that doesn’t mean they are secure.  Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST as ways to ensure security that goes beyond compliance.

Another discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for security solutions that focus on protecting and controlling sensitive data as companies try to mitigate the risk of both cyber and insider threats.

New York Financial Services Cybersecurity RegulationsIn September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of cybersecurity regulations for banks, insurers, and other financial institutions that will enhance data security and require a comprehensive cybersecurity program and policies to ensure compliance.

The proposed rule is the result of DFS’s focus on cybersecurity over the past several years, in which DFS held cybersecurity discussions with various financial institutions, and issued a letter to US regulators asking for feedback on potential cyber-specific requirements.

The regulation contains several requirements that will be new or more expansive than most organizations currently practice. For example, the proposal’s call for encryption of all nonpublic information will be challenging for many organizations. While most entities encrypt data in-transit, they only encrypt data at-rest in more selective circumstances.

The proposal will also require the chair of the board or a senior officer to submit an annual certification that the organization is complying with the regulations. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.

Fasoo can help financial institutions meet several of the requirements in the regulation.

Encryption of Nonpublic Information
Organizations will have to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Encryption requirements for data in-transit must be met by March 2018, while compliance for data at-rest must be met by January 2022.  DFS expects that prior to these dates organizations secure nonpublic information using alternative compensating controls.

Fasoo can address these requirements by encrypting documents and controlling who can access them regardless of the user’s or file’s location.  Below are three use cases in a financial institution where this can occur:

  • A user creates or stores confidential files or derivatives in network repositories, on PCs or sends them (legitimately or by error) to third parties.
  • User checks out a file containing confidential data from a document repository. Once checked out the company may not have adequate controls on who has the file or where it’s located.
  • A employee creates reports with customer data downloaded from a database to an Excel spreadsheet and stores it on a PC.

Audit trail
Organizations will have to maintain audit trails of sensitive data, including logs of access to critical systems.  Fasoo provides a complete audit trail of who accessed a document, when and from what location.  An administrator can even receive alerts if there is activity detected which is above normal thresholds.

Access privileges
Access to systems containing nonpublic information need to be restricted to only those people with a business need for access.  Fasoo assigns access control to all sensitive documents so that only those users with legitimate need at the time they open the document, can access the data inside.  If a user moves departments and no longer needs access to specific files, their access is automatically removed.

Risk assessment
Organizations will have to conduct annual cybersecurity risk assessments to determine their potential vulnerability and what existing controls are in place to mitigate any risk.  Since all document access is logged using Fasoo, it is simple for an organization to prove that appropriate controls are in place to mitigate risk of exposing sensitive information.

It is clear that regulators across the financial services industry are focused on raising the bar for
cybersecurity programs.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to address these enhanced data security requirements as the deadlines to meet the regulations are coming up fast.

Book a meeting