N.Y. Regulators Consider Cybersecurity Requirements for Banks and Insurers

N.Y. Regulators Weigh Cybersecurity Requirements for Banks, Insurers (Insurance Journal): According to a recent report in Insurance Journal, New York Financial Services (“NYFS”) Superintendent Anthony Albanese, indicated that “robust regulation” is needed to address cybersecurity needs within the banking and insurance industry.  This article indicates that the NYFS recommendation is the result of a survey of more than 150 banks and nearly 50 insurers.  The agency’s findings include:

• Companies have taken significant steps to address cybersecurity; however the rapid pace of technological change coupled with an increasingly sophisticated threat landscape will pose enduring challenges,
• Third-party providers (“TPP”)s have access to sensitive data as well as internal information technology (“IT”) systems, thereby creating a potential breach entry point,
• In order to manage TPP access, the following tools/methodologies should be utilized: (a) multifactor authentication (“MFA”), (b) data encryption, (c) loss indemnification, (d) warranties, (e) incident notices, and (f) audits,
• Regulated banks and insurers would be required to conduct annual penetration (“PEN”) testing and quarterly vulnerability assessements,
• Regulated entities would need to implement audit logging that would include privileged user access and anti-log tampering controls
• Any breached entity would be required to notify NYFS of any security incident that the entity believes “… has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident”.

The full article is here.

My Opinion:

Overall, any agency action that spurs thoughtful and relevant dialogue with respect to cybersecurity is probably not a bad thing.  That being said, I worry that the creation of industry specific solutions to cybersecurity will invariably, by design, create weak spots in our cybersecurity armor.  It seems that cybersecurity is the latest “flavor of the month” and everyone wants to jump on the bandwagon from industry professionals to academics, to folks running for political office.  This is worrisome on a number of levels:

• cybersecurity is a discipline that covers both technology as well as the human element, trying to focus on one of these pieces solely and exclusively just is not effective,
• on the technical side, one must balance the ability to access information with the ability to limit access to information, this is not necessarily an easy balance to achieve,
• personally identifiable information (PII) and metadata about us, is pervasive, from our customer loyalty cards, to our Netflix “suggestions”, to our Tivo viewing habits — this information is pure gold to advertisers (and potentially the big brother government as well) — if we secure one industry and leave these huge gaping holes from which our PII can be accessed, we are still infinitely vulnerable,
• regulations such as those being discussed by the NYFS take a point approach to cybersecurity — such as implementing MFA for TPPs.  This can help harden TPP access but if users and administrators are not using MFA then they become ripe targets for social engineering or other such attacks that focus on the human element.
• stick with what you know: the NYFS probably has some excellent protocols and procedures for regulating the financial industry — though they probably know very little about cybersecurity.  With a nationwide shortage of cybersecurity professionals is it wise to put cybersecurity in the hands of any agency that is not dedicated wholly and solely to cybersecurity issues?

The International Organization for Standardization (“ISO”), International Electrotechnical Commission (“IEC”) developed a standard for information security in the mid-1990s and the latest standard is ISO27002:2013.  Additionally, the National Institute of Standard and Technology (“NIST”) developed a “Framework for Improving Critical Infrastructure Cybersecurity” (“CSF”).  Taken together, the ISO27002:2013 as well as NIST: CSF provide guidelines from which a cybersecurity initiative can be designed and implemented.

If Federal, State, or Local government choose to discuss cybersecurity, I am strongly in favor of doing so.  In order to address cybersecurity and to ensure that a complete and cohesive strategy is developed, however, we need to start by focusing on PII, who accesses, who stores it, and who controls it.  Once we understand those variables we can begin to examine cybersecurity in the context of PII rather than by looking at a specific industry and making half-baked suggestions on improving cybersecurity issues.

To Illustrate the problem of focusing on a specific industry, consider the following:

1. Agency develops protocols and procedures for cybersecurity in Industry X;
2. Industry X implements the minimum cybersecurity standards to avoid fines, penalties, or additional regulation,
3. PII exists in the stream of commerce and, therefore, flows from Industry X to Industry Y;
4. Industry Y is not subject to same cybersecurity regulation as Industry X;
5. PII is breached while in Industry Y
   1. Industry Y has no breach notification requirement
   2. Industry Y is not subject to fines, penalties, or damages

This is an admittedly simplistic look at the flow of PII but in focusing on either the technology element or the human element, or one industry, instead of all industries, we run the risk of events such as those above exposing our PII.