It has been over 10 years ago since California took a stand to advocate and enact privacy controls through SB 1386. When that law came into effect, companies now had mandatory reporting requirements for any compromise of personal information of a resident of California. State by state, subsequent privacy laws cascaded across the U.S. The resulting increase in visibility on privacy concerns has continued to impact organizations especially in light of the massive data breaches the industry has seen. While the new laws did not stop the compromise of personal information, the legislation, along with industry standards such as Payment Card Industry’s Data Security Standard, paved the way and compelled organizations to start taking security seriously.
On May 6th, a new set of dominos may have been set up to fall. New York State’s Department of Financial Services (DFS) announced a new cyber security assessment criteria for banks operating within the state. As the financial capital of the U.S., and arguably the world, this announcement may signal another round of state driven legislation or regulatory mandates that again raises the bar for security. The report issued by the DFS highlights the growing threat environment facing financial institutions citing large denial of service attacks, data breaches and other financial crimes as reported through a survey of depository institutions.
One interesting aspect of the NYS DFS Report is that, according to the survey, almost 90% of the institutions reported having an information security framework in place that addresses policies, awareness and training, risk management concepts, security audits and incident monitoring and response. Additionally, ‘a vast majority of the institutions – irrespective of size – reported utilizing some or all’ of the traditional security technologies such as anti-virus, firewalls, Intrusion detection/prevention systems, vulnerability scanning and encryption. In fact, when you read the report, most of the organizations seem to be doing all the right things. So why the interest in increasing oversight? The obvious answer is things continue to change and we continue to see issues and threats rising.
In my last blog, I cited the SEC’s announcement targeting cyber security at financial institutions. The New York state initiative is yet another vector of regulatory scrutiny that financial institutions must face. The impact is obvious for financial institutions affected by these announcements. What does this mean for other companies?
If history repeats, other states may follow suit creating another round of state driven mandates for scrutinizing information and cyber security programs perhaps driven by industry sector, perhaps driven by business models, perhaps as additions to privacy laws. Companies could potentially face compliance reviews against not only state privacy laws but state cyber-security (or whatever term they use) laws placing another burden on an already saturated regulatory environment. If the NY DFS report is any indicator, this means companies need to be able to clearly articulate:
- Security framework including policies, standards, training and awareness and risk management methodologies
- Technology architecture and infrastructure
- Resiliency and disaster recovery controls
- Vendor and Third party risk management
- Corporate governance structure and reporting
- Budget and investment in security
In essence, companies will need to be able to quickly demonstrate the effectiveness of their security implementations against another set of benchmarks. For those companies that thought they dodged the state privacy laws since they don’t capture personal data, think again – it may have just delayed needing to comply with security requirements from the different states.
What this translates into is another driver to ensure security programs are managed and have maturing visions. Policies and standards need to be an active part of the program. Security operations must have the visibility and capabilities to detect and respond to active threats. The organization must be proactive in identifying deficiencies and weaknesses and closing gaps. And finally, the security function must be able to clearly demonstrate the overall effectiveness of security controls across the enterprise. Sounds like a job for Intelligence Driven Security.
On a side note, check out the latest Security for Business Innovation Council report focusing on Strategic Technologies highlighting:
- Accelerated investment in technologies designed for building better anticipatory defenses and improving business productivity.
- Three strategic areas for technology investment to dramatically strengthen security capabilities as cyber threat resiliency, end-user experience optimization and cloud security.
- Recommendations to successfully navigate new technology deployments and maximize security investments.
These reports always give excellent insight into the minds of CISOs and may you think through some of the challenges in your organization.