IT Focus Area: Security
May 18, 2017
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (NY Cybersecurity Requirements) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
What is behind these sweeping new data protection and data privacy laws? In a word, cybercrime. In today’s digital world, we are all “data subjects”. Critical aspects of our lives are determined by the data that is held about us, and as evidenced by the daily news cycle, that data is more at risk than ever. The threat landscape is increasingly dangerous, and new technologies are distributing sensitive data farther across locations, devices, and repositories.
According to Gemalto's Breach Level Index, 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86 percent over 2015. And Verizon's 2016 Data Breach Investigations Report found that in 93 percent of cases where data was stolen, systems were compromised in minutes or less. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred — and it was typically customers or law enforcement that sounded the alarm, not their own security measures.
Traditional prevention and detection methods are being bypassed, and many organizations either don’t know what to do, or don’t have the right resources in place to advance their security. Regulations such as the GDPR and NY Cybersecurity Requirements represent efforts to ensure that organizations are taking the right steps to protect sensitive data.
"These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cyber-crimes." -New York Governor Andrew Cuomo
NY Cybersecurity Requirements
The New York Department of Financial Services (DFS) 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies is a series of regulations that require financial services organizations doing business in New York — which include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers — to further enhance their security and privacy programs in an effort to, as Governor Cuomo put it, “protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
Minimum security standards are required to be met, including but not limited to the following:
The rules took effect on March 1, 2017 and include a 180-day grace period for compliance. Organizations must submit a statement to New York's Superintendent of Financial Services that certifies compliance by February 15 each year (starting in 2018), and must adhere to the following transition periods for specific requirements:
• One year to comply with the CISO reporting requirement, penetration testing and vulnerability assessment, risk assessment, multi-factor authentication, and awareness training requirements
• 18 months to comply with audit trails, application security, limitations on data retention, monitoring procedures, and encryption of nonpublic information
• Two years to comply with third party service provider security program oversight and policy review
The EU General Data Protection Regulation
The GDPR, agreed upon by the European Parliament and Council in April 2016, is replacing the Data Protection Directive 95/46/ec as the primary law regulating how companies protect EU citizens' personal data. It contains new obligations, and applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Companies that are already in compliance with the Directive must ensure that they’re compliant with the new GDPR requirements; those that fail to do so will be subject to stiff penalties and fines. The May 25, 2018 compliance deadline, which from an IT planning and management perspective is right around the corner, has U.S. organizations that offer goods and services to EU citizens scrambling.
In PwC’s recent GDPR Preparedness Pulse Survey, nearly all of the respondents (92 percent) considered compliance with Europe’s landmark General Data Protection Regulation (GDPR) a top priority on their data-privacy and security agenda in 2017 — with over half of respondents saying it is “the” top priority and 38% saying it is “among” top priorities.
Through the GDPR, the EU intends to give its citizens more control over how their personal data is used, and provide businesses with a clearer legal structure by standardizing data protection law across the EU.
Some of the key privacy and data protection requirements of the GDPR are highlighted below:
If you are unsure whether these regulations apply to your organization, you may need to engage the services of privacy consultants, and/or experienced privacy and technology-focused lawyers.
How can organizations that are impacted by these regulations implement the necessary changes for compliance?
Three Keys to Success
Whether it’s the NY Cybersecurity Requirements, the GDPR or other data protection and privacy regulations, efforts should be focused on discovering and identifying regulated data, and then managing and protecting it. While there is no “one-size-fits-all” approach, the majority of requirements in these regulations can be met through the development and/or maturation of programs many large enterprises have already begun to implement: data-centric security, incident response, and third-party risk management.
1. Data-Centric Security
It is no longer enough to focus IT security efforts on networks and endpoints. As IT changes continue to occur, organizations need to keep pace and advance their security by focusing on the data itself through a data-centric security program. The development of a robust data-centric security program is invaluable not only to the GDPR and NY Cybersecurity Requirements, but to all data protection and data privacy efforts.
A comprehensive data-centric security strategy includes the following components:
• Data discovery
• Data classification
• Data tagging & watermarking
• Data governance
• Data loss prevention
• Data visibility
• Encryption strategies
• Enhanced gateway controls
• Identity and access management (IAM)
• Cloud access
• Continuous education
Several aspects of data-centric security are particularly important to compliance readiness for regulations such as the GDPR and NY requirements, including data discovery, data classification, IAM, data governance and encryption.
Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with requirements such as the GDPR “right to be forgotten”. You need to identify the regulated data you store and process, its location, its path from point A to point B, which systems it is being processed by, etc. Data discovery tools provide visibility into the location, volume, context and risk associated with sensitive, unstructured data across the enterprise — both on-premises and in the cloud.
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Data classification tools can be used to improve the treatment and handling of sensitive, regulated data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive, and how it should be protected.
Identity and Access Management (IAM)
The NY requirements specify the use of multi-factor, risk-based authentication “for any individual accessing the Covered Entity's internal networks from an external network (500.12)” and as a means for protecting sensitive data. Multi-factor solutions and services, including mobile device-based authentication products and single sign-on federated access controls can help.
The NY requirements obligate organizations to ensure that confidentiality, integrity, and availability of information and information systems are the predominant focus of their cybersecurity program. This requirement drives organizational practices towards defining and implementing policies, processes, and standards for the effective use and management of data (structured/unstructured) and information systems. Utilizing GRC tools can help to automate governance processes, and optimize the business value of data. Effective data governance enables organizations to address data privacy and data protection requirements no matter where the data is collected, resides or is consumed.
The NY requirements call for greater use of encryption for data at rest and data in motion. End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. Enterprise key management solutions are an important accompaniment to encryption tools, helping to securely generate, store and monitor keys, and streamline ongoing administration. In the case of the EU GDPR, organizations that experience a personal data breach that have encrypted the data will be able demonstrate that the breach is unlikely to affect the rights and freedoms of the data subjects; breaches of encrypted data therefore may not require data subject notification.
2. Incident Response
Historically, too much IT security spending has focused on the prevention of data breaches, and not enough has gone towards preparing for the inevitable.
- Prevention alone fails: just read the data breach headlines making news on a weekly — if not daily — basis.
- Detection alone fails: consider the fact that the majority of incidents are detected externally by law enforcement such as the FBI, not internally by the victim organizations themselves.
- What’s left when all else fails? Incident response.
An established incident response plan is mandated by the NY Cybersecurity Requirements, and both the GDPR and NY requirements contain 72-hour data-breach notification mandates, which will require dramatic changes to the plans of organizations not accustomed to responding to security incidents within strict timelines.
How can you gauge your organization’s IR capabilities?
Consider the following questions:
• Do you have an incident response program in place?
• Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident?
• Have you optimized the tools you’re using today to protect against and detect incidents?
• Has your program been updated and tested to support today’s cyber threats and compliance with breach notification requirements?
• Does the executive team know their role and what is expected of them?
• Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
• Does your plan include considerations for retaining forensic, and public relation firms that directly align to your cybersecurity insurance policy?
Professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress. Additionally, interactive tabletop exercises and breach simulations — in conjunction with forensic and incident response “emergency services” partnerships — can also be of great value.
A comprehensive incident response plan will enable your organization to respond aggressively to an attack, maintain compliance, minimize damage and align defenses to mitigate future intrusions.
3. Third-Party Risk
Third parties can present your greatest area of risk exposure — both for data security, and for regulatory compliance. It is therefore important to extend your focus beyond the organization’s figurative four walls, and consider the impact of your “extended enterprise”. The ramifications of the GDPR and NY requirements broaden significantly when you think about all of the third parties that are essential to your daily operations.
Carefully monitor the security practices of partners and vendors — engaging in third-party due diligence and periodic assessments — to ensure that cybersecurity requirements have been met throughout your supply chain.
Under the GDPR, third parties may be considered regulated “data processors”, and are thereby subject to the directive. For example, if you are a retailer that collects customer information, which you then share with a third-party call center, then under the GDPR you are the data controller, and the call center is the data processor; you both need to maintain compliance. The NY regulations have an extensive section dedicated to having companies “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers.”
Elements of a Third-Party Risk Program
Developing and implementing a third-party risk/compliance program is essential not only to your compliance efforts, but to your overall security posture.
Several key elements of a successful program appear below:
Third-party security tools can enhance your efforts by providing automated vendor risk assessment, and continuous vendor threat monitoring. Additionally, security scoring tools can help to assess both third-party security, and your own by using predictive analytics and security risk assessment tools to issue either FICO-like scores, or grades ranging from A to F to help predict the organization’s likelihood of a breach.
People, Process & Technology
In order to successfully address data protection and privacy regulations and maintain a competitive advantage, the critical components of all enterprise initiatives should be well-considered: people, process and technology.
Professional security assessments are a best practice that is required by both regulations. The NY requirements call for a “Risk Assessment” to which the overall program and policy are explicitly tied, and the GDPR mandates a “Data Protection Impact Assessment”. These services can help your organization determine an actionable roadmap for achieving compliance, and maturing your overall data protection capabilities.
The Benefits of Being Prepared
For many organizations, building and operating a cutting edge data protection program hasn’t been a top priority. Requirements such as the GDPR and NY Cybersecurity Requirements are ushering in a new era of accountability, in which every regulated organization that collects, stores and uses sensitive customer data needs to raise the bar to meet new standards. As UK Information Commissioner Elizabeth Denham said during a lecture in January, “We’re all going to have to change how we think about data protection.” As arduous as this may seem, there are benefits. Organizations that mature their data protection capabilities with robust data-centric security, incident response and third-party risk programs can enhance their brand reputation, and are likely to be more resilient going forward. Taking extra care in how you collect, store, and use sensitive data will help you stay prepared as the regulatory landscape continues to evolve, and reduce the likelihood and impact of data breaches on your business.