New Cybersecurity Regulations About to Hit Everyone
by Steve King
Similarly, this new bill will affect far more companies than those directly engaged in “financial services” and like NYCRR 500, it will include entities that engage in activities that are “financial in nature” like those in the following examples:
A personal property or real estate appraiser will become a covered entity real and personal property appraisal is a financial activity;
All mortgage brokers are covered entities;
All colleges and universities who issue student loans will be covered entities;
An automobile dealership that leases automobiles for longer than 90 days is a covered entity;
A career counselor providing services to individuals currently or recently employed by or seeking employment with a financial organization, or the finance, accounting or audit departments of any company must comply;
All accountants and tax preparers are covered entities;
All retailers who issue their own credit cards to their customers must comply;
And many more examples that will surprise people. In addition, and not unlike GDPR, most businesses that processes, store, or transmit personal financial, banking or economic data, or even advises and provides access to such services is a covered entity.
Taking additional clues from the NYDFS regulation, the new GLBA bill would require covered entities to appoint a Chief Information Security Officer (CISO) who will be charged with the accountability for overseeing the entity’s complete information security program.
That information security program must be developed following a formal security risk assessment which must be conducted on a regular frequency and the results addressed with specific controls, policies and remediations to assure that both systems and data are protected with appropriate safeguards.
The program must contain controls for access authentication and authorization, data encryption both in transit and at risk, fairly rigorous secdevops processes to assure secure application development best practices and methodologies are integrated into development and deployment processes (both internal and external), a requirement for MFA implementation, auditability standards and protocols, data minimization requirements for discarding data no longer necessary for a legitimate business purpose, specific change management procedures, and more.
It reads like an actual recipe for idealized adherence to fundamental best practices as outlined in NIST or one of the many security risk frameworks, and while I applaud it enthusiastically, it will be a giant bridge for most if not all of the companies who will soon discover they are covered entities and that it all applies to them. And by the way, there is not a single specific reference to addressing the largest threat landscape most companies leave exposed, which is the IoT class of vulnerabilities.
So, it is a good start, but it needs to get even tougher.
In addition to process and controls, companies will have to implement operational monitoring systems (SIEM/SOC) to detect both unauthorized access and use of customer information, and any security threats, misconfigured systems, or unpatched vulnerabilities. For slightly larger covered entities that process data on 5,000 or more customers, continuous monitoring and testing must be accompanies by regular and periodic penetration testing and vulnerability assessments. A regular program of security awareness training for all employees is required and must reflect the specific risks identified by the security risk assessments and entities will have to prove that their security team is maintaining current and detailed knowledge of cyber security threats and remediation protocols.
The requirement extends to include third party threat as entities must assess their service providers on a regular frequency to assure their partners are maintaining adequate safeguards to protect customer information they possess or access.
And then the ultimate requirement that no one outside of some larger banks will know how to properly prepare and maintain is an incident response and remediation plan.
So, I have only covered the highlights which pretty much outline fundamental requirements for any best practice set of fundamental information security policies, processes, protocols and technologies, and I am sure that portions will be lobbied out by the time they move to the nest steps toward becoming law, but it is again, a good start.
If you are in any business, the time has come to bite the bullet. Businesses may be unregulated today and for another year or so, but ultimately this sort of legislation will become the default mold for both state level and Federal regulations to come and they are long overdue. We’ve now seen it in New York and California and 24 other states and some combination of NYDFS, CCPA and GDPR will become the standard for data privacy.
Many will climb on the victim train over business regulations, but the responsibility for giving birth to this class of regulation sits squarely on the shoulders of every company and organization who has allowed themselves to be hacked and have lost customer data in the process.
It’s time to act.
PS. If anyone is looking for help in understanding how the new regulation affects their business, I recommend Judy Selby, JD – she and her team know this space cold.
About the author
Steve King is the CISO and Chief Technology Officer for Blackhawk Cyber Defense, Inc., a global leader in Cybersecurity Services and Managed Detection and Response. Steve is a well-known industry thought leader and analyst, writer and speaker on information and cybersecurity technology. Steve was the co-founder of the Cambridge Systems Group which brought to market the leading Data Security product for IBM mainframe computers. As part of his current role, Steve researches the impact of new developments in Cybersecurity Technology and their implications on security in the enterprise, and oversees the integration of the best new technologies into SecureSpecter®, Blackhawk’s award-winning cybersecurity defense system. Steve has founded nine technology product and services start-ups, and raised over $40 million in venture capital.
Steve's LinkedIn profile: https://www.linkedin.com/in/steveking1145/
The article was originaly posted at: https://www.linkedin.com/pulse/new-cybersecurity-regulations-hit-everyone-steve-king/