The Evolving Cybersecurity Regulatory Environment: Tracking Current Trends and Staying Ahead of the Curve
- by 7wData
With the increase in high-profile hacking events, regulatory officials across risk-intensive industries are attempting to use their power and insight to improve cybersecurity in their sectors. Regulations can help – they can build a baseline and guidance for minimum security protections, and provide ammunition for information technology professionals trying to institute necessary security controls in a corporate battle with executives preferring maximum growth and delivering operational efficiencies at lower cost.
But regulations also have their drawbacks. They can indicate, or even mandate a need for expensive changes, and may cause temporary disruptions or slowdowns in business operations. In an effort to be one-size-fits all, they can often be nonspecific, lacking the definition needed for accurate implementation of the requirements. Further, regulations are rarely rigorous enough to support effective security on their own. information security professionals should use these regulations as a starting point, and tailor them to suit their unique business profile. This can be a painstaking task, requiring a survey of the current regulatory environment conducted alongside a practical cost/benefit analysis that may be beyond the experience or resources of some personnel, particularly at small institutions.
This article will highlight four recent regulatory trends, reviewing new cybersecurity regulations emerging in various fields of practice.
The New York State Department of Financial Services (NYDFS) regulation isn’t the only standard to advocate for vendor assessment. The updates to the National Institute of Standards and Technology (NIST) framework include Cyber Supply Chain requirements, and the SEC, FINRA and the upcoming joint FDIC/Comptroller of the Currency/Federal Reserve regulation all include similar elements. As mentioned previously, this requirement is heavily resource-intensive and will require preparation on both regulated organizations and those that want to partner with them. Organizations should start planning now for how they will perform these functions, and how they will market themselves as trustworthy partners that adhere to the highest of cybersecurity protocols.
phishing or Spearphishing is the number one threat vector for ransomware and malware. According to Verizon, 30% of users open phishing emails and 12% click on the attachments they carry. Given these statistics, regulatory bodies are emphasizing the use of sophisticated network access controls (multi-factor authentication, segmented networks, biometrics) to control which information users can access and how they can access it. Binding users’ identities to their credentials in ways that are difficult for malicious actors to encroach upon is key to preventing such incursions.
This requirement is highlighted in a recent incident when Morgan Stanley Smith Barney LLC (MSSB) agreed to settle charges related to its failure to protect private customer/client information. According to a recent report, the action referred to SEC’s “Safeguards Rule”, which requires covered entities to have policies and procedures to safeguard client information. Although MSSB had standard policies to protect customer personal identified information (PII), the company did not adequately restrict employee access to PII for customers they did not work with, and their testing and monitoring practices were inadequate. MSSB’s case presents a cautionary tale for companies in a variety of industries: regulations can serve as a guideline for best practices, but adherence to regulations may not be sufficient to indemnify every action or inaction. As technology continues to evolve, it will inevitably surpass what is covered, and even what may be anticipated by existing regulations, requiring information security professionals to adjust their approaches on the fly, to match ensuing realities.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
Strategies for simplifying complex Salesforce data migrations – Free Webinar
27 March 2024
5 PM CET – 6 PM CET
Read MoreCategories
Tags
You Might Be Interested In
Building a solid data strategy for your organisation
23 May, 2020What needs to be considered when building a solid strategy for getting the best out of all the data at …
This Startup’s Robots Make Music to Make Your Brain Focus
6 Jul, 2016Distractions have never been more ubiquitous than they are today: social media apps, text messages, web browsers, pop-up ads, email, and …
The CDO’s Key Role in Fighting Ransomware
12 Jun, 2022How bad is the ransomware problem? More than one-third of organizations worldwide have suffered a ransomware attack or breach that …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.