What do Brussels and Albany have in common? 'Albany...where’s that?' you’re probably asking. It’s a sleepy city that poses as the capital of New York State. Kind of like Brussels, which poses as the capital of Europe. Well, they now have something else in common. Both capitals have jumped the line to be at the vanguard of cyber regulation.
The General Data Protection Regulation, commonly referred to as GDPR, is getting a lot of attention. It affects all industries and all companies globally who want to do any business in Europe. This regulation has been on people’s minds for years, a long buildup, with very little in there to surprise us. It is to be enforced starting in May 2018. And it’s got some teeth. Not a mere couple million dollar fine – the fines are scores of millions of dollars all the way up to 4% of revenues! Ouch. That gets my attention. It’s not just the defects that are in the nine digits, but the regulatory penalties too.
The New York State Department of Financial Services (NYS DFS) issued a regulation in March that most of us first heard of a year ago. Titled 23 NYCRR 500, at least some parts of it are now in force. With the rest to be phased in over the two-year period since its introduction. It’s limited in scope to the financial services institutions that are regulated at the state level – mostly insurance carriers – that do business in New York, and it’s really focused on cybersecurity. But, it certainly has teeth like no other regulations I’ve seen. If you’re found in breach by NYS DFS, your business in New York could be terminated. That’s even more painful than a huge fine, and with longer term implications. This puts a premium on strong software risk management and compliance discipline.
Another similarity is the assignment of a responsible executive. The GDPR stipulates the assignment of the Data Protection Officer (DPO). The DPO becomes the responsible party for ensuring that the “at risk” data is identified, the data processing impact analysis (DPIA) takes place and all paths to the sensitive data are examined and protected. The NYS DFS simply stipulates that affected organizations must have a CISO. Imagine – some financial services companies still don’t have a CISO. Who would have thought?
The other thing these regulations have in common is their focus on data. The ‘cyber’ world has been fixated on process and protocol for a long time, making sure all sorts of controls are in place regarding networks, data centers, firewalls and best practices. But the focus has not been on the data. The GDPR is by its very definition focused on the private data that enterprises keep. All companies must practice “data privacy by design” and the customer should have control over how their data is handled, including the right to be forgotten. The NYS DFS focuses more broadly, on all company operating data. Not just customer PII. There is also a significant emphasis on data security here.
Frankly, it’s about time that regulators and all security professionals started to realize that “it’s the data, stupid.” Typical security approaches are from the outside in – that is looking at the fortress walls, where the adversary might gain access and trying to plug those holes. The more advanced security practitioners are now starting to think inside out instead. Start with everything that touches our data, whether at rest or in transit, and make sure all those touchpoints are secured. Start with the quality of the software, not just the known exploitable weaknesses. It’s the fundamental work that needs to be done to thwart the attackers that have already penetrated the network defenses, or who are insiders to begin with.
Lastly, and I think this is true of most “cyber” regulations these days, both regulatory regimes are broadening the scope from a pure focus on security. There are many examples, including recent issues such as the Cloudbleed data leak, that show a security issue that stems from a fundamental quality issue. We’ve seen sensitive data exposed, or corrupted, so many times because of mistakes in the code, poor DBMS management, circular dependencies across multiple components and generally unstructured architecture. If it must be the regulators who lead the industry into a more thorough consideration of data management architecture, so be it.
While the mood in Washington with the current administration is to lower regulatory burden overall, the situation on the street is more nuanced. These days the regulatory world is also flat, so what Washington doesn’t do, others will. We’ve already seen US states such as California, New York, Washington and Massachusetts take a stand on environmental issues, where China and Europe are far more advanced than the US. We’re now seeing Europe, Singapore and New York State take the lead in cyber regulation as well. Since these are all large main street and capital markets, the industry, and eventually Washington, will follow.