[BreachExchange] Will New Cybersecurity Legislation Offer Better Protection for Consumers?

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/will-
new-cybersecurity-legislation/

New York state officials recently adopted comprehensive cybersecurity
regulations focused on preventing cyber-attacks in the financial services
sector. These regulations, which took effect on March 1, are the first of
their kind in the United States. Previous US cybersecurity laws and
regulations date back to the 1980s, but historically focused almost
exclusively on punishing hackers or penalizing companies that failed to
secure sensitive information.

New York’s new measures require banks, insurance companies and other
financial services institutions regulated by the state’s Department of
Financial Services (DFS) to establish and maintain a cybersecurity program
designed to protect consumers’ private data and ensure the safety and
soundness of the state’s massive financial services industry.

These regulations are necessary for consumers. For obvious reasons,
financial institutions are a favorite target of hackers. The past year set
another record for the number of reported security breaches
internationally, with more than half of those being cyber-related. However,
these reactionary regulations are indicative of the barriers in place
preventing us from fully addressing the ever-increasing number of
successful cyber-attacks.

Last year, banks across the world experienced cyber-attacks exploiting the
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
messaging system. Using stolen SWIFT credentials, hackers were able to
steal over $80 (USD) from Bangladesh Bank. SWIFT has since issued warnings
that banks should increase security as more attacks are expected to come.

Stateside, the 2014 JP Morgan data breach remains one of the largest in
history. Some 83 million customers were affected, with email addresses,
phone numbers, social security numbers and other personal information
exposed to hackers.

In spite of all this, United States Congress has still not passed a
comprehensive cybersecurity law in the 15 years since massive data breaches
have become the stuff of the nightly news.

To their credit, US senators Mark Warner (D-VA), Jack Reed (D-RI) and Susan
Collins (R-ME) have joined together to introduce a bill to encourage public
companies to appoint cybersecurity experts to their boards of directors. A
separate group of senators – John Thune (R-SD), Brian Schatz (D-HI), James
Risch (R-ID), Maria Cantwell (D-WA) and Bill Nelson (D-FL) – have
introduced legislation to increase support available to small businesses to
help respond to cyber-threats.

New York’s regulations represent a sea change in how government approaches
cybersecurity. The new rules require businesses regulated by the DFS to
meet certain minimum standards – including written cybersecurity policies
and procedures and hiring a qualified, executive level cybersecurity
officer among other things – and to notify the state of successful and
attempted attacks within 72 hours.

“With this landmark regulation, DFS is ensuring that New York consumers can
trust that their financial institutions have protocols in place to protect
the security and privacy of their sensitive personal information,” DFS
superintendent Maria T. Vullo said. “As our global financial network
becomes even more interconnected and entities around the world increasingly
suffer information breaches, New York is leading the charge to combat the
ever-increasing risk of cyber-attacks.”

However, these rules only apply to companies regulated by a single agency.
The customers, employees and owners of the tens of thousands of New York
businesses not regulated by DFS have no such regulatory framework to ensure
their information is protected by a comprehensive cybersecurity program.
Step outside of New York state and the same is true of all businesses
regulated or unregulated at the state level.

The prospect for congressional action or federal agency regulations is dim,
yet in a survey of global business leaders by Duff & Phelps, 86% say their
companies will put more resources and time into cybersecurity in the coming
year, but will they be the right resources? How many states will follow New
York’s lead? Will any states expand the concept to all businesses, not just
financial services?

On the vendor side of this equation, Gartner is recommending cybersecurity
firms – new and mature – focus on regulated businesses. Those businesses
are willing to bet on emerging technologies to solve evolving requirements
and threats. That includes small and medium businesses (SMBs) who may not
escape state level regulations, but whose need to protect themselves is
just as great, considering 60% of all SMBs fail in the wake of a
cyber-attack.

The bottom line is that all sectors of commerce and government – big and
small – need rigorous cybersecurity measures, regardless of legislative
mandates. The increased attention on cybersecurity prevention on the part
of legislators is a step in the right direction as it seeks to
institutionalize fundamental protections for consumers who are increasingly
at risk of a data breach. However, the speed and sophistication of
cyber-criminals will require a much more proactive and aggressive approach
to security that protects against known and unknown threats, with plans to
evolve as the threat landscape changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170509/2b149a5e/attachment.html>