Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2017
01:40 PM
Prakash Linga
Prakash Linga
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
0%
100%

New York’s Cyber Regulations: How to Take Action & Who’s Next

Even if your company isn't directly subject to these new rules, you can assume that the approach will be adopted by regulatory agencies at home and abroad eventually.

In September, New York Governor Andrew Cuomo released the nation's first state-mandated cybersecurity regulations for banks and other financial institutions that reside in the state of New York. Fast forward to today, and financial firms are about to embark on a series of regulations put in place March 1 by the state Department of Financial Services, the National Association of Insurance Commissioners (NAIC), and the SEC, all aimed at protecting clients, consumers, and financial entities from the “ever-growing threat of cyber attacks.”

In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected. The revised NY DFS proposal includes a few significant provisions that are very relevant to the office of the CISO and the CIO;, the most relevant are new requirements for access controls, encryption, and data loss prevention, and how security teams react and prepare.

What’s new? A focus on protecting data directly
Although the NY DFS cyber regulations build on earlier work by the SEC and the NAIC, there are four new and notable provisions that apply to protecting financial information. The new regs:

  • Enforce the broad implementation of encryption
  • Restrict access privileges to both systems and data
  • Provide for the retention and “timely destruction” of non-public information
  • Designate a qualified chief information security officer to oversee the implementation of these programs

These new regulations are notable because they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), and also tie them tightly to access control, acceptable usage policy, and data retention.

Here are four best practices security teams can begin on these requirements today.

1. Simple disk encryption isn’t enough
A driving force for the NY DFS is how often client information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors. I’ve seen it first-hand. A leading New York hedge fund with over $20 billion in assets under management is constantly exchanging sensitive information with vendors that work outside financial firms. Lawyers, auditors, contractors, you name it. In my experience, it’s astonishing to see how very lax their procedures are for information that leaves the organization.

To comply, firms will need to implement protections beyond basic encryption at rest and in transit. They’ll need to find ways to enforce granular limitations on access privileges, implement new audit systems to document data governance inside and outside the firewall, and be able to remotely apply data disposition and destruction rules. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems.

2. Access controls at the data-level
Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared. It’s no longer feasible to define access at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.

Take for example, an influential asset manager in Manhattan. That manager must now secure all legal, HR, and financial data stored in its local file shares. In order to maintain strict data governance requirements, IT and security teams must ensure their security tools integrate with the fund’s Active Directory to assign rights and permissions to highly sensitive data, anywhere files travel.

3. Automate audit trails
In the past, the requirement for an audit trail on data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.

Consider a private equity shop in New York that now must track quarterly letters sent to its limited partners. This will entail  logging all authorized and unauthorized access attempts to the data, including details such as  how, when and whether their licensed partners opened their investor communications, or whether competitors or nonaccredited investors attempted to access its nonpublic information.

4. Retention and ‘timely destruction” of data
This is not just for data that’s located internally, but anywhere that data travels, which is critical for financial institutions that work with hundreds of third-party vendors. How many times have you heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends? Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.

Exactly how does this apply in the real world? The mergers and acquisitions arm of a public banking entity must destroy its nonpublic information after the bank’s retention period expires. Access to all copies of the diligence materials, investor decks, financial models, accounting profiles, and audits are automatically destroyed, even if they’ve been moved to personal devices 

Coming to a regulatory body near you
Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world. We’re already seeing international bodies like the EU Parliament seek to expand regulation and expectations for cybersecurity outward from financial services. And as we’ve observed time and time again domestically, the best practices and approaches adopted in the financial system quickly make their way out into less-regulated industries.

Related content: 

Prakash is the chief technology & product officer and co-founder of Vera. In this role, he oversees all products and technology, and is responsible for developing the overall product strategy and technical vision of the company. Prakash is an entrepreneur who is passionate ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...