The Evolving Cybersecurity Regulatory Environment: Tracking Current Trends and Staying Ahead of the Curve

The Evolving Cybersecurity Regulatory Environment: Tracking Current Trends and Staying Ahead of the Curve

With the increase in high-profile hacking events, regulatory officials across risk-intensive industries are attempting to use their power and insight to improve cybersecurity in their sectors.  Regulations can help – they can build a baseline and guidance for minimum security protections, and provide ammunition for information technology professionals trying to institute necessary security controls in a corporate battle with executives preferring maximum growth and delivering operational efficiencies at lower cost.

But regulations also have their drawbacks.  They can indicate, or even mandate a need for expensive changes, and may cause temporary disruptions or slowdowns in business operations.  In an effort to be one-size-fits all, they can often be nonspecific, lacking the definition needed for accurate implementation of the requirements.  Further, regulations are rarely rigorous enough to support effective security on their own.  information security professionals should use these regulations as a starting point, and tailor them to suit their unique business profile. This can be a painstaking task, requiring a survey of the current regulatory environment conducted alongside a practical cost/benefit analysis that may be beyond the experience or resources of some personnel, particularly at small institutions.  

This article will highlight four recent regulatory trends, reviewing new cybersecurity regulations emerging in various fields of practice.  

The New York State Department of Financial Services (NYDFS) regulation isn’t the only standard to advocate for vendor assessment.  The updates to the National Institute of Standards and Technology (NIST) framework include Cyber Supply Chain requirements, and the SEC, FINRA and the upcoming joint FDIC/Comptroller of the Currency/Federal Reserve regulation all include similar elements. As mentioned previously, this requirement is heavily resource-intensive and will require preparation on both regulated organizations and those that want to partner with them. Organizations should start planning now for how they will perform these functions, and how they will market themselves as trustworthy partners that adhere to the highest of cybersecurity protocols.

phishing or Spearphishing is the number one threat vector for ransomware and malware.  According to Verizon, 30% of users open phishing emails and 12% click on the attachments they carry. Given these statistics, regulatory bodies are emphasizing the use of sophisticated network access controls (multi-factor authentication, segmented networks, biometrics) to control which information users can access and how they can access it. Binding users’ identities to their credentials in ways that are difficult for malicious actors to encroach upon is key to preventing such incursions.  

This requirement is highlighted in a recent incident when Morgan Stanley Smith Barney LLC (MSSB) agreed to settle charges related to its failure to protect private customer/client information. According to a recent report, the action referred to SEC’s “Safeguards Rule”, which requires covered entities to have policies and procedures to safeguard client information. Although MSSB had standard policies to protect customer personal identified information (PII), the company did not adequately restrict employee access to PII for customers they did not work with, and their testing and monitoring practices were inadequate. MSSB’s case presents a cautionary tale for companies in a variety of industries: regulations can serve as a guideline for best practices, but adherence to regulations may not be sufficient to indemnify every action or inaction. As technology continues to evolve, it will inevitably surpass what is covered, and even what may be anticipated by existing regulations, requiring information security professionals to adjust their approaches on the fly, to match ensuing realities.

Share it:
Share it:

[Social9_Share class=”s9-widget-wrapper”]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You Might Be Interested In

Building a solid data strategy for your organisation

23 May, 2020

What needs to be considered when building a solid strategy for getting the best out of all the data at …

Read more

This Startup’s Robots Make Music to Make Your Brain Focus

6 Jul, 2016

Distractions have never been more ubiquitous than they are today:  social media apps, text messages, web browsers, pop-up ads,  email, and …

Read more

The CDO’s Key Role in Fighting Ransomware

12 Jun, 2022

How bad is the ransomware problem? More than one-third of organizations worldwide have suffered a ransomware attack or breach that …

Read more

Do You Want to Share Your Story?

Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.

Get the 3 STEPS

To Drive Analytics Adoption
And manage change

3-steps-to-drive-analytics-adoption

Get Access to Event Discounts

Switch your 7wData account from Subscriber to Event Discount Member by clicking the button below and get access to event discounts. Learn & Grow together with us in a more profitable way!

Get Access to Event Discounts

Create a 7wData account and get access to event discounts. Learn & Grow together with us in a more profitable way!

Don't miss Out!

Stay in touch and receive in depth articles, guides, news & commentary of all things data.