Just Because You Passed Your Compliance Audit Does Not Mean That You Are Secure
When asked why he robs banks, Willie Sutton famously responded, “because that’s where the money is.” In today’s day and age, physical currency is no longer the target of the bad guys.
Stealing actual money carries too much risk with too little reward compared to other targets. Stealing money electronically with ones and zeros has somewhat taken its place, but today’s most valuable currency is data. To date, data is not as well protected as the physical and virtual gateways to financial currency, and as opposed to actual money, can be sold many times over. Despite this not being a new phenomenon, many organizations have not gotten their act together to properly protect their customers’, employees’ and business partners’ data.
Due to deficiencies highlighted in the many breaches of the past, regulators have stepped in to try to motivate the right behaviors. Why do we need regulations such as the New York State Department of Financial Services cyber security requirements, GDPR, the President’s cybersecurity executive order, PCI DSS, and on and on? Did banks of days gone by require industry or government regulation to tell them to install bullet proof glass, cameras and high security vaults (though I believe the FDIC does now have a section on minimum security requirements)?
Why do we seem to need layer upon layer of regulation and guidance to try to ensure a more secure business world? Is it working?
I think the short answer is yes and no. If the business impact of data breaches was as direct and quantifiable as the impact of physical bank robberies, and the steps for prevention as well defined, then regulation would be less necessary. However, though they may impact customers and partners significantly, cyber breaches often don’t impact the bottom line quite so directly. Additionally, the steps for prevention often require significant cost, effort and inconvenience. Despite the significant risks that are involved, organizations may be inclined to save money and effort in the near term and roll the dice.
In the absence of self-motivation, regulation is often needed to get companies to do the right thing for the public good. The challenge is structuring it so that it achieves the desired goal, in this case cyber protection, without it taking on a life of its own that undermines the outcome. Enterprises spend a lot of time and effort checking the compliance box while still being exposed to the risks that the regulation was supposed to mitigate. We’ve seen this syndrome in some highly regulated industries such as financial services. A bank operating in New York State that handles payment data may be subject to overlapping cyber regulations from the DFS, SEC, OCC, FFIEC, PCI, etc, etc, etc. Not to say that any one of them is bad or wrong, just that having all of them results in a whole lot of focus on compliance, much of which could and should be spent on security. Just because you passed your compliance audit does not mean that you are secure. We’ve seen many breaches occur shortly after the impacted institution passed its PCI or HIPAA audit. The occurrence of those breaches means that they were “not secure.” It was the exposed attack vectors, magnitude of the breach and time to detect it that highlights that they were not as secure as they needed to be. Bank robberies still occur today, albeit less frequently and less impactfully than they were 100 years ago. We need to get to that point (and beyond) in cyber.
If you run a well-structured and comprehensive cyber security program, it is a pretty good bet that complying with your industry’s regulations will be more of a formality than a fire drill. Some of the newer regulations and frameworks are moving in the right direction, taking a risk based approach vs. being highly prescriptive about specific technologies across the board.
The New York State Department of Financial Services NYCRR Part 500, whose first compliance deadline just passed, does just that. The regulation applies to financial institutions of greater than 10 employees, $5 million revenue, $10 million of year-end assets that operate in New York State, and their service providers, regardless of their location. New York State’s Department of Financial Services passed this regulation on March 1st, but gave institutions some runway to bring their organizations up to speed. It is a two year phase in, the first milestone of which went live on August 28th. The regulation overall is very much about a risk based approach, modulating controls based on each organization’s risk assessment. It is also one of the first cyber regulations to hold the “Chairperson of the Board of Directors or Senior Officer(s)” accountable for certifying compliance. It is important that although responsibility can be outsourced, accountability cannot. This first milestone lays the structure and foundation for a covered entity’s security program, including establishing a cyber security program, policies, designating a Chief Information Security Officer, adopting access management practices to minimize extraneous access, training security personnel or contracting a third party, establishing an incident response plan, and procedures for notifying DFS if there’s an event.
NYCRR Part 500 is not alone. Another framework moving in the right direction is the NIST Cybersecurity Framework, which is the governing framework of the President’s Cybersecurity Executive Order. Cyber security is not easy, but the industry has come to recognize that perfection is not the goal of security. Stuff happens. The goal is to understand and properly manage risk. Performing the required due diligence to manage cyber risk is in everybody’s best interest and if well-established practices are adopted by the industry, it will minimize future regulation, make complying with existing ones a formality, and most importantly, protect the bottom line and customers alike.