With the increase in high-profile hacking events, regulatory officials across risk-intensive industries are attempting to use their power and insight to improve cybersecurity in their sectors. Regulations can help – they can build a baseline and guidance for minimum security protections, and provide ammunition for information technology professionals trying to institute necessary security controls in a corporate battle with executives preferring maximum growth and delivering operational efficiencies at lower cost.
But regulations also have their drawbacks. They can indicate, or even mandate a need for expensive changes, and may cause temporary disruptions or slowdowns in business operations. In an effort to be one-size-fits all, they can often be nonspecific, lacking the definition needed for accurate implementation of the requirements. Further, regulations are rarely rigorous enough to support effective security on their own. Information security professionals should use these regulations as a starting point, and tailor them to suit their unique business profile. This can be a painstaking task, requiring a survey of the current regulatory environment conducted alongside a practical cost/benefit analysis that may be beyond the experience or resources of some personnel, particularly at small institutions.
This article will highlight four recent regulatory trends, reviewing new cybersecurity regulations emerging in various fields of practice.
Regulatory Trends in Cybersecurity
The New York State Department of Financial Services (NYDFS) regulation isn’t the only standard to advocate for vendor assessment. The updates to the National Institute of Standards and Technology (NIST) framework include Cyber Supply Chain requirements, and the SEC, FINRA and the upcoming joint FDIC/Comptroller of the Currency/Federal Reserve regulation all include similar elements. As mentioned previously, this requirement is heavily resource-intensive and will require preparation on both regulated organizations and those that want to partner with them. Organizations should start planning now for how they will perform these functions, and how they will market themselves as trustworthy partners that adhere to the highest of cybersecurity protocols.
Network Access Controls
Phishing or Spearphishing is the number one threat vector for ransomware and malware. According to Verizon, 30% of users open phishing emails and 12% click on the attachments they carry. Given these statistics, regulatory bodies are emphasizing the use of sophisticated network access controls (multi-factor authentication, segmented networks, biometrics) to control which information users can access and how they can access it. Binding users’ identities to their credentials in ways that are difficult for malicious actors to encroach upon is key to preventing such incursions.
This requirement is highlighted in a recent incident when Morgan Stanley Smith Barney LLC (MSSB) agreed to settle charges related to its failure to protect private customer/client information. According to a recent report, the action referred to SEC’s “Safeguards Rule”, which requires covered entities to have policies and procedures to safeguard client information. Although MSSB had standard policies to protect customer personal identified information (PII), the company did not adequately restrict employee access to PII for customers they did not work with, and their testing and monitoring practices were inadequate. MSSB’s case presents a cautionary tale for companies in a variety of industries: regulations can serve as a guideline for best practices, but adherence to regulations may not be sufficient to indemnify every action or inaction. As technology continues to evolve, it will inevitably surpass what is covered, and even what may be anticipated by existing regulations, requiring information security professionals to adjust their approaches on the fly, to match ensuing realities.
Emphasis on Audits and Investigations
The Health Insurance Portability and Accountability Act (HIPAA) has not recently updated its regulations, but it has been much more active in enforcing them in the current environment. In the first half of 2016, HIPAA logged $20 million in settlements, a sharp rise over the $28 million in the twelve years prior to 2016. With all the attention being paid to cybersecurity challenges, we can expect other regulators to crack down on their covered organizations as well, if compliance becomes an issue.
Involvement of the Executive Board
CIOs have long been calling for increased involvement from the boardroom on matters of cybersecurity. Board members with relevant backgrounds or higher awareness can align with CIOs to emphasize the importance of cybersecurity concerns against the traditional goals of other c-suite members, fostering the integration of protective practices into other operational areas of the business. Regulators have taken notice and want to elevate cybersecurity issues. The upcoming FDIC/Comptroller of the Currency/Federal Reserve regulation (detailed below) requires the Executive Board to review cyber risk governance policies and procedures. The NYDFS cybersecurity regulation requires the CISO of each covered entity to report in writing at least annually to the entity’s board of directors or equivalent governing body. Board members should become familiar with the new regulations and with the cybersecurity landscape as part of their fiduciary responsibility – their involvement will surely increase over the next few years.
Newly Instituted and Proposed Cybersecurity Regulations
New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
The new regulations from the NYDFS went into effect last week (effective March 1, 2017), starting the clock on thousands of entities covered under the NYDFS purview. There are several readily available published summaries of the regulation; instead, the focus here will be on identifying the challenges to information security and compliance professionals as they try to meet the terms of these regulations.
Mismatched order of implementation. The NYDFS regulation separates its various requirements into four buckets, each with a different timeline for implementation. Companies falling under NYDFS must institute the basic requirements concerning policies, plans and personnel within 180 days; assessments, controls and training requirements fall into the twelve-month bucket; technology changes and advanced security procedures (such as application security or secure disposal) must happen within eighteen months; and within two years, companies must provide security analysis of its third party service providers.
By and large, this is a good order that reflects the practical difficulty levels of such implementations. The one glaring contradiction, however, is that the requirement to conduct a risk assessment falls within the twelve-month window while policies are already to be set within the first 180 days. Without a proper asset inventory and risk assessment of all systems, it will be impossible for a company to properly set up their cybersecurity policies and access controls in a manner that is consistent with the risk appetite and business needs of the organization. In fact, after the Chief Information Security Officer (CISO) is identified and cybersecurity roles and responsibilities are determined, the inventory and risk assessment is the very next item that should be on the list for implementation.
Vague nature of some parts of the regulation. NYDFS mandates encryption at rest and in transit over external networks for all Nonpublic Information held by covered entities, but allows the CISO to use effective alternative compensating controls if encrypting at rest and in transit is ‘infeasible’. This puts an unfortunate and unsustainable amount of pressure and liability on the CISO (whether internal or external) who will be making that determination.
The NYDFS mandate about multi-factor authentication is likewise inexact in its instruction, and was likely designed to be flexible based on the organization’s own needs and systems. But if there is a subsequent breach, the company (and the CISO) would have to defend the choices they made in instituting these security controls. As was discussed earlier in the incident with the Securities and Exchange Commission and MSSB, following the letter of a regulation is sometimes not enough to avoid findings of fault and substantial penalties when a breach occurs.
Cost of doing business. The types of security controls described above are expensive to implement, and will likely raise the cost of doing business for many of the covered entities that fall under 23 NYCRR 500. NYDFS, like most regulatory bodies, does not make cost a first priority when drafting regulations, but the companies that must comply have an elemental need to evaluate and balance those choices. Smaller firms that may be starting at a much lower level of security will be facing increased expenditures, both in technology and expenses for services, with the need to hire outside experts to assist with compliance and implementation.
National Institutes of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Update: Draft Version 1.1 Released January 10, 2017.
The NIST Framework for Improving Critical Infrastructure Cybersecurity (“the framework”) was created in 2014 as directed by Presidential Executive Order 13636. This framework has evolved from its original purpose and audience, and has been since used as a reference by companies of varying size and industry. The new draft incorporates feedback and comments on the first draft and is designed to appeal to a wider array of enterprises and professionals. Of particular note are three sections that are either entirely new or have been profoundly changed in the upgrade:
Measuring and Demonstrating Cybersecurity. NIST added an entire section on measuring cybersecurity, part of its effort to stress effective communication regarding cybersecurity issues and to integrate cybersecurity matters into existing organizational elements. NIST’s measurement plan stresses tracking both security metrics and business outcomes, and suggests that the two should be linked if at all possible. As stated in the NIST update, however, this is a difficult proposition.
For instance, NIST suggests metrics for the Protect Function to “develop and implement the appropriate safeguards to ensure delivery”, and suggests that the senior executive be held accountable by measuring “percentage uptime of system(s) (i.e. ensuring delivery).” The lagging metric is “creating and communicating strategy for development and implementation for data security.” “Creating and communicating” is hard to measure quantifiably, however – it’s a more of a ‘how and why’ question, rather than an empirical one.
NIST delineates suggested measurements, some of which are easier to quantify than others. It is to be hoped that the final version of the update will be able to provide even more guidance regarding cybersecurity strategic planning, implementation and measurement.
Supply Chain Risk Management. Supply chain risk management is a category within the Identify Function. This completely new section entails setting supply chain risk processes; identifying, prioritizing and assessing suppliers and partners; forming contractual agreements with those suppliers and partners to ensure that they adhere to appropriate security measures; instituting monitoring and auditing procedures; and integrating suppliers and providers into response and recovery planning efforts.
Ensuring universally high cybersecurity standards for outside vendors is a substantial, even daunting task for any organization. It will be essential to integrate this process into the company’s larger risk management program, as suppliers and vendors servicing one area of the company may have requirements different from others, predicated on the systems and data to which they have access. This effort to incorporate analysis of third party vendors, which has been mirrored in other new regulations, (see the section above on vendor assessments) will continue to be a challenge to risk managers in the days and years ahead.
Identity Management, Authentication, and Access Control. This section is not new, but has been greatly expanded. As previously indicated, there are alarming statistics about the ability of malicious actors to gain access to a network using social engineering techniques (phishing, spearphishing, et al). Given this kind of threat environment, it is essential to institute policies driven by the least privilege and separation of duties principles (the idea that users have access only to the information they absolutely need), and to link users’ identities to their credentials. NIST has edited this section to emphasize these ideas, integrating risk management into this process.
Department of the Treasury Office Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), and Federal Deposit Insurance Corporation (FDIC) Notice on Enhanced Cyber Risk Management Standards.
These three organizations have released an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards for large and interconnected entities (with total consolidated assets of $50 billion or more on an enterprise-wide basis) under their supervision, and those entities’ service providers. The ANPR addresses five areas of cyber standards:
Cyber risk governance
Cyber risk management
Internal dependency management
External dependency management
Incident response, cyber resilience, and situation awareness
Of particular interest, and what sets the ANPR apart from other existing cybersecurity regulations, are the following:
Its inclusion of third party service providers. The ANPR proposes that the OCC, the Board and the FDIC would extend these regulations to third party service providers under the $50 billion asset floor or who might be outside jurisdiction of the OCC, the Board and the FDIC.
The need for the board of directors to certify cyber risk governance policies and procedures. The ANPR states that the enhanced standards would place a strong emphasis on the need to demonstrate effective cyber risk governance – that cyber risk is monitored and managed at a consistent risk appetite and tolerance level as approved by the board of directors.
Requirements regarding independence of senior leaders with responsibility for cyber risk management. The agencies are considering a requirement that all such officers be independent of business line management and have direct, independent access to the board of directors.
Proposed Executive Order on Cybersecurity
The new Executive Order on cybersecurity is expected to drop sometime in March or April of 2017. While it is yet to be released, reports indicate that two elements to be introduced will serve to strengthen the cyber risk responsibility for government agencies as follows:
The Office of Management and Budget (OMB) will make implementing the NIST framework mandatory for all government agencies; and
Responsibility for improving cybersecurity will lie with the agency heads themselves.
With the rampant proliferation of enterprise technologies and the concurrent explosion of malfeasance in the cyber realm, 2016 and the beginning months of 2017 have been active times for regulators; they show no sign of easing up. We should expect to see cybersecurity regulations across various industries updated regularly and new directives being crafted and introduced by a myriad of governing bodies. Further complicating this environment will be regulations enacted by other countries, and state regulations that overlap in coverage with existing U.S. national guidelines. There are already new or updated regulations to watch for in the European Union, Japan, and Canada. Information security and compliance managers will be hard pressed to come up with effective ways to integrate effective controls and compliance, while still supporting the business needs of their organization, and it is no small task.
Natasha Cohen is a graduating student in SIPA's International Security Studies Program and a member of the Cyber Defense Practice at K2 Intelligence. She tweets @tashabcohen and can be reached at firstname.lastname@example.org.