Although financial services companies have been required to abide by cybersecurity laws for many years, such as the SEC’s Identity Theft Red Flag Rule and the Security Rule of the Gramm-Leach-Bliley Act, the developing cybersecurity regulatory landscape is continuing to gain momentum as the number of industries impacted increases.
2017’s New York State Department of Financial Services (NYS DFS) Part 500 cybersecurity regulation, which will become fully implemented this year with its fourth and final phase effective March 1st, is appearing to be a good indicator of cybersecurity regulation to come. The National Association of Insurance Commissioners’ (NAIC) 2017 Insurance Data Security Model Law has already been adopted by a handful of state regulators, with more to follow. Additionally, recent activity surrounding proposed and approved state privacy and cybersecurity laws will impact industries that have not been subject to these types of regulations before.
Read on to learn which cybersecurity regulations could be impactful this year, challenges this may present, and reasons behind these changes.
Which 2019 Cybersecurity Regulations Should Be Kept Top-Of-Mind?
NYS DFS Part 500
Although this regulation became effective over two years ago, the last of the four phases of requirements becomes enforceable on March 1st of this year. Preparing for compliance with this phase was particularly challenging as it requires minimum cybersecurity practices to be met by financial institutions’ third-party service providers, some who went from having no regulatory cybersecurity requirements to needing to meet stringent requirements of NYS DFS Part 500.
NAIC Insurance Data Security Model Law
This law approved in October of 2017 is a model law that creates information security standards for insurers with compliance dates dependent on adoption by state regulators. The NAIC’s goal is for the majority of states to adopt the law within three years, giving insurers one year thereafter to comply. South Carolina was the first state to adopt in July of last year. While this law closely follows many of the key requirements of NYS DFS Part 500, there are some nuances which are more prescriptive, such as board involvement and incident reporting.
Privacy Laws with Cybersecurity Impact
The California Consumer Privacy Act (CCPA), effective January 2020, has been given much attention by the privacy world since its passing in mid-2018. This law should not be overlooked by audit or security professionals for its cybersecurity components. Companies that have had sector-specific cybersecurity regulatory requirements or have made recent changes to comply with the EU’s GDPR have a head start on CCPA’s information security/cybersecurity requirements.
Companies who have not been governed by any cybersecurity regulation will need to evaluate current capabilities and factor how to implement information security controls such as encryption, user access management, and disaster recovery/business continuity, among others. As of late January, Washington State and New Jersey had released drafts of their own laws, similar to CCPA. There is a strong public-sector desire for a federal privacy law which would preempt all state privacy laws, as companies would rather abide by one regulation versus a patchwork of state laws with differing requirements.
What Are Some Expected Challenges for Information Security Professionals?
The Infancy of Cybersecurity Regulations
As with any new law that has not yet been enforced by a regulator, there is much uncertainty as to which elements of these cybersecurity laws regulators will prioritize. Even industries which have already been subject to cybersecurity regulations cannot expect the exact same experience with new regulators. Until precedent is set with a series of publicly known enforcement actions and fines, audit and security professionals will need to use their judgment on where to focus compliance efforts, especially if meeting all regulatory requirements is not achievable by the effective date.
Going From No Law to Strict Law
Although there are many infosec professionals who work for organizations that have been subject to cybersecurity regulations, there are many who have not had this experience. The challenge for the latter will be implementing cybersecurity controls that were not previously required, while also learning to efficiently and effectively demonstrate compliance to regulators.
Educating the Executive Committee
Although keeping the executive committee educated and informed has been a task for infosec and audit departments for years, new regulations will raise new questions. Regulatory compliance has been and will continue to be an increased focus area for organizations, especially because of the risk of large fines for non-compliance as demonstrated by last year’s GDPR. Next year’s CCPA does include a private right of action, giving the potential for financial penalties to be extremely high. Infosec professionals will need to thoroughly understand the top requirements of new cybersecurity regulations, and be able to give executives comfort that these are being met.
Why Are Cybersecurity Regulations Increasing?
Protection of Personally Identifiable Information
The increasing frequency of news headlines about companies whose insufficient cybersecurity controls have allowed an unauthorized party access to customers’ personally identifiable information has not gone unnoticed by consumers or lawmakers. The public’s interest for better protection of their personally identifiable information was actually one of the many drivers of CCPA.
Confidentiality of Company Proprietary Information
Manufacturing companies spend large amounts of money in research in development to create and enhance their products. If a company is maliciously infiltrated and product design secrets are stolen, this gives the ability for others in possession of the stolen information to manufacture the same product but at a cheaper price, inevitably resulting in lost business for the company that was hacked. This type of event is also especially concerning for defense contractors who contribute to national security, as other countries can gain warfare advantage when they possess this type of knowledge.
Stability of Economies
Traditionally financial institutions have been the targets of hackers searching for financial gain. However, the increasing presence of nation-state sponsored hackers, who have more to gain from disrupting a nation’s economy versus simply stealing money, are changing the focus. When a company would once suffer a direct financial loss from a successful hacking attempt, hackers are now searching for other confidential information in order to maliciously manipulate a market, which could have a larger downstream impact on an economy as a whole.
Both internal audit and security professionals will need to keep an eye on how 2019’s cybersecurity regulatory changes unfold, both those that are currently known, and those to come.