Companies must make cybersecurity a continuous priority as cybersecurity threats evolve and expand, often more quickly than does the technology, regulations, and best practices to counter them.
If corporate leaders do not understand how federal and local cybersecurity laws relate to their business operations, they may be face substantial fines, all while trying to remedy issues of stolen proprietary or client data that often involve remediation costs, lost revenues, litigation costs, and reputation damage.
One regulatory regime that decided it would not wait for the federal government to act or for businesses to merely add sound protective measures over their data and networks after being hacked was New York’s Department of Financial Services (NYDFS). By examining the cybersecurity regulation the NYDFS put into place — with the last component becoming effective this past March — even businesses not subject to it can learn from its prescriptions and get in front of the growing trend of increased regulatory oversight in this arena.
The impact of the NYDFS regs
The NYDFS, which oversees banks, insurance companies, credit unions, money transmitters, and mortgage bankers and brokers, among others, put forth a draft of its cybersecurity regulation in 2017, and it had two public comment periods.
The NYDFS cybersecurity regulation has a few key requirements for covered entities — namely, the creation of a detailed cybersecurity plan, the designation of a chief information security officer (CISO), the enactment of a comprehensive cybersecurity policy, and the maintenance of an ongoing reporting system for cybersecurity events. The regulation also mandates either effective and continuous monitoring (or other systems) to detect changes in information systems that may create or indicate vulnerabilities, or else annual penetration testing and bi-annual vulnerability assessments.
The NYDFS superintendent who helmed the NYDFS during the rollout and fine-tuning stages of this regulation was Maria Vullo, now the CEO of Vullo Advisory Services. Vullo recently spoke to Thomson Reuters Regulatory Intelligence about how businesses need to develop a risk-based approach to the regulation. (Click here to see a video of the full interview.)
“We strove to make the regulations not overly prescriptive, so companies could model their approach according to the specific risks they faced, based on their type of business, clients, size, etc.,” Vullo said. “And we wanted the companies to be able to evolve in their approach as technology evolved.”
This approach made sense, because the NYDFS oversees financial services firms of all sizes, business types, and product offerings, she added, noting that it also makes sense from the end-user perspective, because the companies needing to comply with these new regulations come from different standpoints in terms of resources.
Even the important role of the CISO is somewhat flexible, in that this individual can have another job function in the firm and not use that specific title. But the role is an integral one, Vullo said, and it’s premised on the notion that there must be accountability for the cybersecurity programs operating within businesses.
An important component of a business’s resiliency against cyber intrusions depends upon employee training because a large number of such intrusions are due to employees making mistakes, she added.
Cybersecurity enforcement & guidance
Developments in the past few years, like the highly publicized Equifax data breach and the adoption of data privacy regulations, have put financial services businesses on notice that the days of “hoping for the best” with information security is over.
In July, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, imposing more expansive data security and data breach notification requirements on companies. It takes effect on March 21, 2020. And the New York State Attorney General, Leticia James, recently filed suit against Dunkin’ Donuts for fraudulent business conduct, deceptive business practices, and false advertising by alleging the company misrepresented to consumers that it provided reasonable safeguards to protect their personal information and notify them in a timely manner about a breach.
On the federal level, the Financial Industry Regulatory Authority recently sent a notice to regulated entities to warn them about business email compromise scans, and the Commodity Futures Trading Commission fined a futures commission merchant for failing to have adequate employee training on such things as phishing emails.
Reminders to businesses
Companies need to address any siloed security tools, processes, and corporate departments that have not done enough to provide holistic protection and keep up with today’s threats. Otherwise, companies can find themselves subject to intrusions because they have bypassed simple password best practices and multi-factor authentication methods.
Further, training programs help make employees understand how even the simple steps they take every day — and the threats they need to watch out for — can truly make a difference to a business’s cybersecurity protection.
CISOs inside businesses must show upper-level executives and board members that the business has both a detailed plan for conducting regular assessments of its capabilities and infrastructure, as well as a realistic incident response plan that the business can follow during an actual incident.
And in terms of disclosures to customers and regulators, businesses must avoid overly rosy and untrue portrayals of the security measures they have adopted and instead adhere to a notification protocol that observes accuracy, candor, and timeliness.