Information security is a threat for every business, but it's particularly disruptive to the nation's infrastructure systems including transportation, communications and financial institutions. If unauthorized users access information related to the core industries needed for everyday activities, it could be catastrophic.
Protecting infrastructure systems is a top priority for regulators. It's a focus for the Department of Homeland Security's National Cybersecurity Month. It was also the subject of a 2013 executive order, which encouraged increased cybersecurity awareness among the infrastructure sector. Among other provisions, the executive order led to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which today is one of the gold standards for information security protection. It also created the Critical Infrastructure Cyber Community Voluntary Program to help infrastructure industries adopt the recommendations in the NIST framework.
The frameworks established, however, only provide recommendations for improvements. Regulators are weighing whether to make the best practices in cybersecurity mandatory. Financial institutions in particular may soon find that robust cybersecurity programs are not optional. A closer look at the developments in information security requirements for financial institutions may give us a glimpse of what's ahead for cybersecurity regulation of other infrastructure industries—and other companies at high risk for data breach.
Proposed Regulations in the Works
The Federal Financial Institutions Examination Council (FFIEC) has cybersecurity recommendations for all financial institutions. These regulations include ongoing risk assessments and risk mitigation practices. It suggests following software assurance industry practices for applications and regularly evaluating third-party software and services for unusual activity or behavior. It also has recommendations for protecting user permissions and cybersecurity awareness training.
In 2016, financial regulators proposed taking things a step further. The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Company announced proposed cybersecurity rules for large financial institutions. Rules would apply to any bank or financial institution with total consolidated assets of $50 billion or more, or any bank or financial institution that is a subsidiary of a financial institution with $50 billion or more in total consolidated assets. Third party service providers that serve these financial institutions would need to implement the rules as well.
The rules, which draw heavily from the NIST Cybersecurity framework and other cybersecurity publications, fall into five general categories: cyber risk governance, cyber risk management, internal dependency management, external dependency management and incident response, cyber resilience and situational awareness. Comments on the proposed rules were due by Jan. 17, 2017, but later were extended to Feb. 17, 2017. It remains to be seen how the proposed rules would change in a final version.
Local Cybersecurity Efforts
Another trend that may be worth monitoring is state-mandated cybersecurity requirements. In the wake of cybersecurity incidents that affected New York-based financial institutions, the state passed its own cybersecurity requirements for financial institutions. Rules in 23 NYCRR 500 became effective on March 1, 2017 for qualifying financial institutions. It requires financial institutions to implement a comprehensive cybersecurity program that covers 17 key components, including:
- A formal cybersecurity program and policy,
- A chief information security officer,
- Regular penetration testing and vulnerability assessments,
- A cybersecurity audit trail
- Access privileges requirements
- Application security measures
- Cybersecurity personnel and intelligence,
- A formal third party service provider security policy
- Multifactor authentication for network access
- Limitations on data retention
- Ongoing training and monitoring
- Encryption of nonpublic information
- An incident response plan
- Notices to superintendent
- Confidentiality measures
Lessons from Financial Institution Regulation
Infrastructure companies should monitor how mandatory rules play out for financial institutions. If the regulatory efforts are successful in reducing the number of financial institution cybersecurity incidents, state and federal regulators may turn their attention to cybersecurity regulations for other industries.
Organizations that have had a history of information security threats and disruptions may also want to consider undergoing a cybersecurity risk assessment and penetration testing exercises to pinpoint where their current practices are falling short. Infrastructure companies should also consider the benefits of cyber liability insurance. Insurance policies frequently require a minimum set of standards to be in place to protect information security and may help keep your organization up-to-date on cybersecurity best practices.
Published on October 30, 2017