Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2017
01:40 PM
Prakash Linga
Prakash Linga
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
0%
100%

New Yorks Cyber Regulations: How to Take Action & Whos Next

Even if your company isn't directly subject to these new rules, you can assume that the approach will be adopted by regulatory agencies at home and abroad eventually.

In September, New York Governor Andrew Cuomo released the nation's first state-mandated cybersecurity regulations for banks and other financial institutions that reside in the state of New York. Fast forward to today, and financial firms are about to embark on a series of regulations put in place March 1 by the state Department of Financial Services, the National Association of Insurance Commissioners (NAIC), and the SEC, all aimed at protecting clients, consumers, and financial entities from the “ever-growing threat of cyber attacks.”

In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected. The revised NY DFS proposal includes a few significant provisions that are very relevant to the office of the CISO and the CIO;, the most relevant are new requirements for access controls, encryption, and data loss prevention, and how security teams react and prepare.

What’s new? A focus on protecting data directly
Although the NY DFS cyber regulations build on earlier work by the SEC and the NAIC, there are four new and notable provisions that apply to protecting financial information. The new regs:

  • Enforce the broad implementation of encryption
  • Restrict access privileges to both systems and data
  • Provide for the retention and “timely destruction” of non-public information
  • Designate a qualified chief information security officer to oversee the implementation of these programs

These new regulations are notable because they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), and also tie them tightly to access control, acceptable usage policy, and data retention.

Here are four best practices security teams can begin on these requirements today.

1. Simple disk encryption isn’t enough
A driving force for the NY DFS is how often client information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors. I’ve seen it first-hand. A leading New York hedge fund with over $20 billion in assets under management is constantly exchanging sensitive information with vendors that work outside financial firms. Lawyers, auditors, contractors, you name it. In my experience, it’s astonishing to see how very lax their procedures are for information that leaves the organization.

To comply, firms will need to implement protections beyond basic encryption at rest and in transit. They’ll need to find ways to enforce granular limitations on access privileges, implement new audit systems to document data governance inside and outside the firewall, and be able to remotely apply data disposition and destruction rules. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems.

2. Access controls at the data-level
Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared. It’s no longer feasible to define access at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.

Take for example, an influential asset manager in Manhattan. That manager must now secure all legal, HR, and financial data stored in its local file shares. In order to maintain strict data governance requirements, IT and security teams must ensure their security tools integrate with the fund’s Active Directory to assign rights and permissions to highly sensitive data, anywhere files travel.

3. Automate audit trails
In the past, the requirement for an audit trail on data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.

Consider a private equity shop in New York that now must track quarterly letters sent to its limited partners. This will entail  logging all authorized and unauthorized access attempts to the data, including details such as  how, when and whether their licensed partners opened their investor communications, or whether competitors or nonaccredited investors attempted to access its nonpublic information.

4. Retention and ‘timely destruction” of data
This is not just for data that’s located internally, but anywhere that data travels, which is critical for financial institutions that work with hundreds of third-party vendors. How many times have you heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends? Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.

Exactly how does this apply in the real world? The mergers and acquisitions arm of a public banking entity must destroy its nonpublic information after the bank’s retention period expires. Access to all copies of the diligence materials, investor decks, financial models, accounting profiles, and audits are automatically destroyed, even if they’ve been moved to personal devices 

Coming to a regulatory body near you
Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world. We’re already seeing international bodies like the EU Parliament seek to expand regulation and expectations for cybersecurity outward from financial services. And as we’ve observed time and time again domestically, the best practices and approaches adopted in the financial system quickly make their way out into less-regulated industries.

Related content: 

Prakash is the chief technology & product officer and co-founder of Vera. In this role, he oversees all products and technology, and is responsible for developing the overall product strategy and technical vision of the company. Prakash is an entrepreneur who is passionate ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...