Cybersecurity: The New Compliance

Over the past few years, we’ve seen a large increase in the number of regulations across all sectors regarding cybersecurity. Just a few of the sectors affected by new cybersecurity regulations include:

The financial sector has a number of new cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook. That publication is comprised of a number of booklets that contain resources and requirements financial institutions are expected to adhere to. In addition to the FFIEC booklet, there are also several guides that financial regulators publish. For example, the Office of the Comptroller of Currency (OCC), has a guidance on third-party risk management, specifically aimed at institutions they regulate. Though each agency has its own specific rules and regulations, the FFIEC handbook is the go-to resource for information security regulation for financial institutions in the US. In 2016 The Federal Financial Institutions Examination Council (FFIEC) issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The Management booklet, including the examination procedures, was substantially revised. The booklet outlines the principles of sound governance and, more specifically, information technology (IT) governance. The booklet explains how IT risk management relates to enterprise-wide risk management and governance. One important change to the handbook included incorporation of cybersecurity concepts as part of information security.

The best-known standard for cybersecurity compliance in healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for healthcare organizations, insurers, and the third-party service providers medical organizations do business with. In addition to HIPAA, a supplemental act called The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

Businesses that provide services to the U.S. Department of Defense (DOD), must meet cyber requirements defined in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). To protect sensitive defense information, DFARS outlines cybersecurity standards a third party must meet and comply with prior to doing business with the DOD.

Consumer Data
Forty-seven states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify them about security breaches that compromise customer data. For instance, if a company holds sensitive personal information about customers (eg., social security numbers, account numbers, or payment card information) and they experience a breach, they’re obligated to notify those affected. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data. In addition, the retail sector isn’t specifically federally regulated, but it is subject to regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS).  The PCISC issues security standards for all organizations that process payment cards or hold payment card data.

While regulations for insurance departments and companies are a state by state matter, many have issued requirements to protect consumer information. In October 2016, the New York State Department of Financial Services (DFS) proposed new regulations around cybersecurity for both financial organizations and insurance companies. On March 1, 2017, that proposed regulation went into effect. Though this regulation is specific to only those entities covered by the New York State Department of Financial Services’ (DFS) cybersecurity regulation, this first-in-the-nation cybersecurity regulation, won’t be the last.

In a recent press release a spokesman for the NYS DFS said “With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems”.

Effective March 1, 2017, and beginning August 28, 2017, banks, insurance companies and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect consumers’ private data, a written policy or policies that are approved by the board or a senior officer, a Chief Information Security Officer (CISO) to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. Covered entities must also begin reporting cybersecurity events to DFS through the Department’s online cybersecurity portal.

As time will tell, we believe other organizations and industries across the country will take advantage of the opportunity presented by the NYSDFS cybersecurity requirements and will evaluate their own cybersecurity and compliance programs leading them to more and improved security measures including prudent and effective regulations.  Cyber risks and threats are not going away. The need for improved processes, procedures, rules and regulations to mitigate those risk will only increase.  As additional cybersecurity rules are mandated, cybersecurity compliance will become mandatory, not just because a regulator demands it, but because protection of information and data, as well as the survival of the entity requires it.

Regulatory change is being driven not just by regulators but by prudent business practice and new technologies. Both managers and examiners now know that a company’s carefully constructed cybersecurity fortress, designed to keep criminals out, must also look at the internal employee or other “insider” with access to an organization’s networks and systems. Intentionally or unintentionally, insiders can cause devastating leaks of information and data, make payment transfers, grant criminals access to security codes, and cause other damage. As organizations continue to increase security around new technologies, criminals are increasing their focus on the human element as an entry point into network systems. Phishing tactics continue to be more authentic in appearance, with embedded malware that, once clicked, will infect or spread through an organization’s systems. Scams that target mobile devices and social media sites that are accessed by employees on company mobile devices are increasing. Insider risk is a real and growing threat that is made worse when organizations grant employees access to systems and networks where they do not need it. If an employee is successfully duped by a phishing attempt or wants to steal information from the company, he or she can inflict far greater damage if the organization has not properly configured access levels to align with the employee’s level of authority and job responsibilities.

Strong deterrents, as well as training and awareness programs, must be implemented to ensure employees comply with the company’s rules, along with safeguards to identify those who do not comply. Ultimately, prudent policies, practices, rules and regulations will be the tools used to protect companies, clients, and consumers against the potentially devastating consequences of these types of cyber risks. As regulatory requirements for financial institutions have undeniably become tougher, the cyber threat environment has toughened as well. Just as the financial sector has been addressing risk through new regulation, other industries aren’t far behind.  

Remember, information is the new currency, and cyber thieves are the new bank robbers.  In this digital age, protection of digital currency and data will require new rules and regulations to safeguard that information. Compliance with those rules will be paramount in defeating the new age bank robbers (a.k.a. cyber thieves).