Attacks/Breaches

3/6/2017
01:40 PM
Prakash Linga
Prakash Linga
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
0%
100%

New Yorks Cyber Regulations: How to Take Action & Whos Next

Even if your company isn't directly subject to these new rules, you can assume that the approach will be adopted by regulatory agencies at home and abroad eventually.

In September, New York Governor Andrew Cuomo released the nation's first state-mandated cybersecurity regulations for banks and other financial institutions that reside in the state of New York. Fast forward to today, and financial firms are about to embark on a series of regulations put in place March 1 by the state Department of Financial Services, the National Association of Insurance Commissioners (NAIC), and the SEC, all aimed at protecting clients, consumers, and financial entities from the “ever-growing threat of cyber attacks.”

In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected. The revised NY DFS proposal includes a few significant provisions that are very relevant to the office of the CISO and the CIO;, the most relevant are new requirements for access controls, encryption, and data loss prevention, and how security teams react and prepare.

What’s new? A focus on protecting data directly
Although the NY DFS cyber regulations build on earlier work by the SEC and the NAIC, there are four new and notable provisions that apply to protecting financial information. The new regs:

  • Enforce the broad implementation of encryption
  • Restrict access privileges to both systems and data
  • Provide for the retention and “timely destruction” of non-public information
  • Designate a qualified chief information security officer to oversee the implementation of these programs

These new regulations are notable because they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), and also tie them tightly to access control, acceptable usage policy, and data retention.

Here are four best practices security teams can begin on these requirements today.

1. Simple disk encryption isn’t enough
A driving force for the NY DFS is how often client information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors. I’ve seen it first-hand. A leading New York hedge fund with over $20 billion in assets under management is constantly exchanging sensitive information with vendors that work outside financial firms. Lawyers, auditors, contractors, you name it. In my experience, it’s astonishing to see how very lax their procedures are for information that leaves the organization.

To comply, firms will need to implement protections beyond basic encryption at rest and in transit. They’ll need to find ways to enforce granular limitations on access privileges, implement new audit systems to document data governance inside and outside the firewall, and be able to remotely apply data disposition and destruction rules. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems.

2. Access controls at the data-level
Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared. It’s no longer feasible to define access at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.

Take for example, an influential asset manager in Manhattan. That manager must now secure all legal, HR, and financial data stored in its local file shares. In order to maintain strict data governance requirements, IT and security teams must ensure their security tools integrate with the fund’s Active Directory to assign rights and permissions to highly sensitive data, anywhere files travel.

3. Automate audit trails
In the past, the requirement for an audit trail on data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.

Consider a private equity shop in New York that now must track quarterly letters sent to its limited partners. This will entail  logging all authorized and unauthorized access attempts to the data, including details such as  how, when and whether their licensed partners opened their investor communications, or whether competitors or nonaccredited investors attempted to access its nonpublic information.

4. Retention and ‘timely destruction” of data
This is not just for data that’s located internally, but anywhere that data travels, which is critical for financial institutions that work with hundreds of third-party vendors. How many times have you heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends? Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.

Exactly how does this apply in the real world? The mergers and acquisitions arm of a public banking entity must destroy its nonpublic information after the bank’s retention period expires. Access to all copies of the diligence materials, investor decks, financial models, accounting profiles, and audits are automatically destroyed, even if they’ve been moved to personal devices 

Coming to a regulatory body near you
Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world. We’re already seeing international bodies like the EU Parliament seek to expand regulation and expectations for cybersecurity outward from financial services. And as we’ve observed time and time again domestically, the best practices and approaches adopted in the financial system quickly make their way out into less-regulated industries.

Related content: 

Prakash is the chief technology & product officer and co-founder of Vera. In this role, he oversees all products and technology, and is responsible for developing the overall product strategy and technical vision of the company. Prakash is an entrepreneur who is passionate ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.