New York State Cyber Security Regulations for Financial Institutions Could Be Model for Other States

The first phase of the New York state cyber security regulations, which apply to insurance companies, banks, and other financial institutions operating within the state, went into effect on March 1.

While the insurance and finance industries are already highly regulated, New York’s legislation is the first at the state level to mandate specific cyber security requirements. While there is some overlap with existing regulations and standards, the requirements under New York’s law are very specific. However, there’s nothing Earth-shattering about the requirements; they consist of common-sense, proactive cyber security practices that all organizations should already be adhering to. Because of this, and the international reach of the finance and insurance organizations it applies to, it is expected to be a model for other states.

Requirements of the New York State Cyber Security Regulations

The new law is 14 pages long and contains 23 sections; you can download a PDF copy of it here. Among other things, organizations must:

• Design and implement a cyber security program based on a comprehensive risk assessment. Among other requirements, the program must address the organization’s plan to detect and respond to “Cybersecurity Events,” “recover from Cybersecurity Events and restore normal operations and services,” and “fulfill applicable regulatory reporting obligations.” The cyber security program must also establish secure development procedures for applications developed in-house.
• Implement and maintain a written cyber security policy. The policy must be based on the risk assessment and include “policies and procedures for the protection of [the organization’s] Information Systems and Nonpublic Information stored on those Information Systems.”
• Design and maintain a written cyber security incident response plan.
• Provide all employees with ongoing cyber security awareness training.
• Designate a Chief Information Security Officer (CISO). The organization may hire its own CISO or use a third-party service provider to fulfill this function.
• Perform penetration testing, vulnerability assessments, and periodic risk assessments.
• Maintain audit trails.
• Establish appropriate system user access privileges.
• Employ “qualified cybersecurity personnel” to perform cyber security-related functions. Third-party personnel may be substituted for in-house employees. Importantly, the law requires that these personnel be provided with ongoing training so that they stay current in their field.
• Establish a separate cyber security policy for third-party service providers.
• Utilize multi-factor authentication and data encryption.

The law also contains reporting, notification, and confidentiality requirements, as well as certain exemptions for organizations with fewer than 10 employees, less than $5 million in gross annual revenues, and less than $10 million in assets.

Skills Gap Could Make Compliance Challenging

Most banks, other financial organizations, and insurance agencies in the state of New York have six months from March 1 to implement the first phase of the law, including the cyber security policy, employee training program, and incident response program. Despite the law’s exemptions for smaller firms, many finance and insurance organizations are worried about their ability to comply with the new law. There is a significant cyber security skills gap, which has already driven salaries through the stratosphere – assuming an organization can even find qualified talent to begin with. Now that multinational Wall Street finance companies are expected to begin aggressively recruiting security analysts and engineers, the talent pool will shrink even further, and labor costs will rise even higher.

The new law is quite complex, and the penalties for non-compliance are very high. Now more than ever, firms affected by the New York law need to (1) Make use of RegTech software such as Continuum GRC’s IT Audit Machine (ITAM) to automate their governance, risk, and compliance functions and (2) Outsource their cyber security to a qualified third-party provider such as Lazarus Alliance.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will ensure that your organization is complying with the new requirements under New York’s cyber security law, and protect you from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to the New York state cyber security regulations, maintain compliance, and secure your systems.

RegTech Simplifies Governance, Risk, and Compliance

As compliance costs skyrocket, standards grow increasingly complex, and the cyber threat environment evolves, organizations are turning to RegTech solutions to automate their compliance processes and improve their overall cybersecurity posture.

Compliance with regulatory and industry standards, such as HIPAA, PCI DSS, FedRAMP, and SSAE 16 SOC reporting, are a burdensome yet necessary part of doing business in the digital world. Organizations operating in highly regulated industries, such as healthcare and finance, face significant compliance challenges, especially when they must comply with multiple standards. HIPAA, for example, applies to any organization that handles medical records, including schools, collection agencies that handle medical debt, personal injury attorneys, and SaaS providers of healthcare software; meanwhile, these same organizations may also have to comply with PCI DSS, SSAE 16 reporting, SOX, and other applicable standards.

Organizations must figure out which standards apply to them, then continually keep up with reporting requirements, audits, and the inevitable changes in those standards as technology and the cyber threat environment evolve. It is estimated that regulatory compliance costs U.S. businesses about $2 trillion annually, and in a perverse twist, small business’s compliance costs are over three times higher than what large companies bear. This heavy burden helps explain why so many enterprise cyber security “plans” start and end with compliance, even though compliance does not equate to data security. It’s not necessarily that organizations don’t care about whether their data is secure, but that they spend so much money and time on compliance, there’s nothing left to tackle cyber security.

Fortunately, technology has made it possible for organizations to achieve compliance and secure their systems and data, at an affordable cost.

RegTech to the Rescue

One of the biggest problems in many organizations is the fact that their compliance processes – or the processes of their third-party compliance providers – are not automated. Some companies still use spreadsheet programs such as Excel for compliance reporting and audits, even though Excel was never meant to be used with the very large data sets produced by today’s complex data environments. But RegTech software, such as Continuum GRC’s IT Audit Machine (ITAM), can.

While the term “RegTech” is most commonly associated with the finance industry, RegTech solutions can be employed by any organization that must adhere to compliance standards, including healthcare, cloud computing, SaaS, education, and public-sector organizations. RegTech solutions utilize big data capabilities and rapid report creation to automate data management and reporting. Instead of multiple, disparate spreadsheets and ledgers, RegTech software creates a centralized repository of all IT compliance requirements with associated controls and automated information flows for audits, assessments, and testing.

Making Sense of Big Data

The big problem with big data is that it amounts to a lot of big noise unless you have the capability to analyze it and derive actionable insight from it. RegTech doesn’t just simplify your compliance processes; it also strengthens your enterprise’s cyber security by providing the advanced data analysis capabilities you need to make sense of your data environment and discover where your vulnerabilities lie. The ITAM, for example, integrates IT governance, policy management, risk management, and incident management. In addition to taking the pain out of the compliance process, it empowers you to document and analyze IT risks, develop mitigation plans, define security controls, and manage ongoing risk assessments so that you can anticipate new and emerging threats and stop them before a breach occurs.

RegTech is poised to transform IT governance, compliance, and cyber security. Organizations that employ this new technology will free up money, time, and human resources to innovate, create, and pursue long-term organizational goals instead of being bogged down in regulatory paperwork and worried about data breaches and other cyber attacks.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization successfully simplify Governance, Risk, and Compliance, and secure your systems.

New PCI DSS Ecommerce Best Practices Replace Previous Guidelines Issued in 2013

Consumers love shopping online and are abandoning malls for mobile shopping apps in droves. However, online shopping environments offer multiple opportunities for hackers to steal payment card data. Even worse, as more brick-and-mortar stores implement card chip technology to defeat skimmers and other forms of POS system fraud, thieves are gravitating toward card-not-present (CNP) ecommerce environments, where the pickings are easier. In an effort to address the growing threat of ecommerce fraud and clear up confusion among merchants regarding encryption and digital certificates, the PCI Security Standards Council has just released a PCI DSS ecommerce information supplement with updated best practices for ecommerce cyber security, which replaces the previous PCI DSS ecommerce guidelines issued in 2013.

Previously, the PCI Council had mandated that all online merchants implement TLS 1.1 encryption or higher by the end of June 2016, then later extended the deadline to June 2018. However, the PCI Council recognized that many merchants did not fully understand their responsibilities and options regarding encryption and digital certificates. The new PCI DSS ecommerce guidelines include a primer on SSL and TLS that explains the difference between SSL and TLS and how to select a Certification Authority (CA) and a public key certificate. There is also a list of questions merchants commonly have about certificate types and TLS migration options; four case studies outlining ecommerce security solutions in different data environments; and a section devoted to best practices for securing ecommerce sites.

Understanding and Complying With the New PCI DSS Ecommerce Guidelines

As the PCI Council itself points out, the new guidelines “[do] not replace or supersede requirements in any PCI SSC Standard.” They “[contain] revised content to address changes in risk and supporting technologies” and are meant to help merchants protect themselves against emerging threats and prepare for migration to TLS 1.1+ encryption.

Although the TLS migration deadline is still over a year away, the PCI Council does not recommend waiting. There are numerous security vulnerabilities in SSL and early (pre-1.1) versions of TLS that are incapable of being fixed or patched. Any ecommerce site running SSL or early TLS is at serious reach of being breached and should upgrade as soon as possible. This is critical even for small ecommerce businesses. Hackers do not discriminate between sole proprietorships and multinational corporations, and a tiny startup may be less able to absorb the financial hit of a breach than a multinational.

In addition to extensive information on TLS 1.1+ migration, the guidelines contain a list of best practices for securing ecommerce stores, including:

• Know the location of all your cardholder data; use data flow diagrams to identify your systems, processes, and security controls.
• If you don’t need it, don’t store it; PCI DSS 3.1 requires that merchants store cardholder data for only as long as they need to, and not store sensitive authentication data at all after authorization.
• Evaluate the risks of your associated e-commerce technology; PCI DSS Requirement 12.2 mandates that organizations include their ecommerce environments in their annual risk-assessment process.
• Conduct ASV scanning and penetration testing of ecommerce environments; even if you are outsourcing your web hosting and management, it is still your responsibility under PCI DSS to ensure that your vendor is conducting these important tests.

The PCI Council also mandates comprehensive cyber security training for staff and recommends that merchants promote cyber security awareness among their customers. Although the latter is not a requirement for PCI DSS compliance, it is still an excellent idea. Security-aware customers are less likely to fall victim to credit card fraud, which benefits merchants by reducing fraud-related losses. Additionally, in our connected world, hacks no longer happen in a vacuum; cyber security is everyone’s responsibility.

The PCI DSS ecommerce best practices supplement is 64 pages long, and much of the content is quite technical. Many merchants, especially small companies, may feel overwhelmed by the information, advice, and requirements outlined in the document, as well as PCI DSS compliance in general. That’s why merchants should seek the help of a PCI DSS Qualified Security Assessor (QSA) such as Lazarus Alliance. As a QSA, Lazarus Alliance has been approved by the PCI Security Standards Council to measure organizations’ compliance with the PCI DSS audit standard. Our PCI DSS experts will walk your business through the compliance process, including your online store’s migration to TLS 1.1+, and ensure that your systems are compliant and secured against data breaches, DDoS attacks, ransomware, and other forms of abuse.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization successfully migrate to TLS 1.1 or higher, achieve and maintain PCI DSS compliance, and secure your systems.