Attacks/Breaches
3/6/2017
01:40 PM
Prakash Linga
Prakash Linga
Commentary
Connect Directly
LinkedIn
Facebook
RSS
E-Mail vvv
0%
100%

New Yorks Cyber Regulations: How to Take Action & Whos Next

Even if your company isn't directly subject to these new rules, you can assume that the approach will be adopted by regulatory agencies at home and abroad eventually.

In September, New York Governor Andrew Cuomo released the nation's first state-mandated cybersecurity regulations for banks and other financial institutions that reside in the state of New York. Fast forward to today, and financial firms are about to embark on a series of regulations put in place March 1 by the state Department of Financial Services, the National Association of Insurance Commissioners (NAIC), and the SEC, all aimed at protecting clients, consumers, and financial entities from the “ever-growing threat of cyber attacks.”

In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected. The revised NY DFS proposal includes a few significant provisions that are very relevant to the office of the CISO and the CIO;, the most relevant are new requirements for access controls, encryption, and data loss prevention, and how security teams react and prepare.

What’s new? A focus on protecting data directly
Although the NY DFS cyber regulations build on earlier work by the SEC and the NAIC, there are four new and notable provisions that apply to protecting financial information. The new regs:

  • Enforce the broad implementation of encryption
  • Restrict access privileges to both systems and data
  • Provide for the retention and “timely destruction” of non-public information
  • Designate a qualified chief information security officer to oversee the implementation of these programs

These new regulations are notable because they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), and also tie them tightly to access control, acceptable usage policy, and data retention.

Here are four best practices security teams can begin on these requirements today.

1. Simple disk encryption isn’t enough
A driving force for the NY DFS is how often client information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors. I’ve seen it first-hand. A leading New York hedge fund with over $20 billion in assets under management is constantly exchanging sensitive information with vendors that work outside financial firms. Lawyers, auditors, contractors, you name it. In my experience, it’s astonishing to see how very lax their procedures are for information that leaves the organization.

To comply, firms will need to implement protections beyond basic encryption at rest and in transit. They’ll need to find ways to enforce granular limitations on access privileges, implement new audit systems to document data governance inside and outside the firewall, and be able to remotely apply data disposition and destruction rules. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems.

2. Access controls at the data-level
Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared. It’s no longer feasible to define access at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.

Take for example, an influential asset manager in Manhattan. That manager must now secure all legal, HR, and financial data stored in its local file shares. In order to maintain strict data governance requirements, IT and security teams must ensure their security tools integrate with the fund’s Active Directory to assign rights and permissions to highly sensitive data, anywhere files travel.

3. Automate audit trails
In the past, the requirement for an audit trail on data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.

Consider a private equity shop in New York that now must track quarterly letters sent to its limited partners. This will entail  logging all authorized and unauthorized access attempts to the data, including details such as  how, when and whether their licensed partners opened their investor communications, or whether competitors or nonaccredited investors attempted to access its nonpublic information.

4. Retention and ‘timely destruction” of data
This is not just for data that’s located internally, but anywhere that data travels, which is critical for financial institutions that work with hundreds of third-party vendors. How many times have you heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends? Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.

Exactly how does this apply in the real world? The mergers and acquisitions arm of a public banking entity must destroy its nonpublic information after the bank’s retention period expires. Access to all copies of the diligence materials, investor decks, financial models, accounting profiles, and audits are automatically destroyed, even if they’ve been moved to personal devices 

Coming to a regulatory body near you
Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world. We’re already seeing international bodies like the EU Parliament seek to expand regulation and expectations for cybersecurity outward from financial services. And as we’ve observed time and time again domestically, the best practices and approaches adopted in the financial system quickly make their way out into less-regulated industries.

Related content: 

Prakash is the chief technology & product officer and co-founder of Vera. In this role, he oversees all products and technology, and is responsible for developing the overall product strategy and technical vision of the company. Prakash is an entrepreneur who is passionate ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.