Financial institutions are facing twin barrels of cyber-security regulation as a major August deadline of the New York State Department of Financial Service approaches and the EU’s General Data Protection Regulation waits in the wings until it goes into effect in May 2018.
Of the two security mandates, John Chisum, a senior security advisor at RiskRecon, sees the EU regulation having a far larger impact on firms.
“If we are talking about NYSDFS or GDPR, there are organizations to which NYSDFS directly applies, but its scope is much smaller,” he said during a webinar hosted by cyber-security vendor Opus. “It’s going to be difficult to employ the broad brush strokes that we will see with GDPR.”
European regulators wrote GDPR to streamline cyber-security regulatory environment by applying to any company that does business with EU citizens or has access to their personal information rather than navigating each EU member’s local data-privacy regime.
The regulation strengthens consumer rights, such as staff notification of breaches, right to access at no charge the data firms capture regarding their consumers, the ability for consumers to transfer their data, and the right to be forgotten, he noted.
Yet, the most noticeable feature of GDPR is the hefty stick that the regulators have given it. If regulators find a company in breach of the regulation, it could face a fine as much as 4% of its global revenue.
Chisum was unsure whether the EU plans to use hard or soft enforcement once GDPR goes into effect. “It depends if how an issue is identified, such as being identified during a security audit or from an actual breach,” he said. “If it is the latter, it will be worse for the firm in question.”
To prepare for the new regulations, Dov Goldman, vice president, innovation and alliances at Opus, recommended a focus on fundamentals.
“Even as things change, they stay the same,” he said. “Good old-fashioned best practices tend to be the best defense against new cyber-risks.”
However, business as usual when it comes to cyber-security is not an option for firms, according to Chisum.
“There is a lot more involved in securing their environment than originally than what they thought when they did their internal assessments,” he said.
Under the GDPR and the NYSDFS’ regulation, companies will not be able to decide how much security is acceptable for the organization.
“I, as an organization, need to show that I’m taking appropriate steps to validate information that a third-party provides,” Chisum explained. “In many cases, this isn’t a one-time validation either. I need to show that I am maintaining some level of visibility into the activities of my third-parties as long as they are processing consumer data on my or my client’s behalf.”
It does not sound significant, he added, but the reality is that the current methods in use do not scale well since they are relatively labor intensive. Compounding the problem is the dearth of cyber-security professionals. “All companies tend to fish from the same pond and poach employees from each other,” said Chisum.
He advised that firms look towards technology-based platforms to fill the gap as companies acclimate to the new regulatory environment.