We had an engaging discussion recently with Lisa Xu, CEO of NopSec, about the New York Department of Financial Services (DFS) groundbreaking cybersecurity law for financial services organizations released on Sept. 13, 2016. NopSec is a leading cybersecurity firm offering software-as-a-service technology for vulnerability risk management.
Q. Ms. Xu, NY DFS’s Proposed Cybersecurity Regulation has made headlines in the past week since the Governor’s announcement. What do you think the impact on DFS’ regulated financial services companies will be?
A. Three things come to mind: compliance, costs and reputation. What we have seen in the past is that regulators provide general practice guidance, and ultimately it’s left with the covered entities to determine the appropriate level of security policies and adequate controls implementation. Now, it’s very different this time. These requirements are becoming enforceable regulations where financial services companies must be in compliance if they choose to conduct businesses in the state of New York. The adoption of new regulations will be undoubtedly challenging and time-consuming, and could be perceived as a cost burden for the covered entities. Nowadays, we have heard very often that cybersecurity has become a board-level discussion. Companies on the cutting-edge of technology-enabled financial service businesses have embraced cybersecurity as an investment to provide better customer experience, trust and loyalty. Lastly, you might be able to put a price on the cost of regulatory compliance; however, no one can put a price on a data breach and possible negative reputation impact on any financial service company. Research suggests that customers expect protecting customer data and privacy is an ordinary course of business and would explicitly avoid breached firms in their solution choice.
Q. The Cybersecurity regulation calls for an effective date of Jan. 1, 2017, allowing 180 days for implementation of most requirements – a relatively tight time frame. How would you suggest organizations proceed with compliance efforts?
A. Prioritization is key. Generally, we recommend cover entities conduct a baseline readiness assessment to evaluate any possible gaps in the current cybersecurity program. Based on the gap analysis, financial service companies should prioritize the improvement areas they can accomplish in the near term with internal resources, and identify control gap areas that require support of external service providers and partners.
Proper planning is a critical success factor to achieve overall compliance. Clearly defined ownership and timeline are equally important in this company-wide multi-disciplinary initiative, where IT Operations, Compliance Officer, Chief Information Security Officer should be fully aligned to the success outcome of this project. Assigning a project manager can be particularly helpful, especially given a tight implementation time window. A dedicated project manager can promote cross-department collaboration, open communication, provide visibility on progress to the management committee and the Board, and effectively manage the deadline and deliverable.
Q. The Cybersecurity regulation mandates annual penetration testing and quarterly vulnerability testing – both core strengths for NopSec. NopSec has been on the front lines in these areas for years, do you have any critical lessons learned for organizations where these requirements may not have been a focus in the past?
A. Absolutely, we have seen two major lessons learned among covered entities. First, there is a lot of confusion between penetration testing and vulnerability assessment. These terminologies have been used interchangeably among many covered entities. Actually they are quite different. Vulnerability assessment is a test to detect possible vulnerable hosts or applications that may be subject to exploitation; however, it does not provide you the actual proof that your systems may be compromised. On the other hand, in a real emulated penetration test, experienced testers perform exploitation of remote code execution and deliver a proof of concept to evidence the compromise.
Second, many organizations primarily focus on external-facing assets, such as external networks or internet-facing web applications, and are less concerned about internal-facing IT assets, simply thinking “inside firewall” would be safer. In reality, we observe internal networks and web applications represent much of the overall risk exposure when simulated attackers’ lateral movements are possible, attackers can escalate system access and bypass existing security controls.
Q. Many regulated organizations will have decisions to make on how much of the work involved can be done internally as opposed to externally by a vendor or partner. As someone who has been in the business of assisting organizations, do you have any thoughts that can help them with this decision?
A. To outsource or not to outsource is not an easy decision. Over the years, we have witnessed the transformational impact where financial service companies have transitioned from an information technology (IT) oriented organizational structure to a business technology (BT) oriented operating model, so to speak, transforming from an IT to BT business model and supply chain management. The core business of these financial service companies is simply to make profits and retain customers. Their core competency does not necessarily reside in managing a world-class cybersecurity program. Given the lack of cybersecurity talents and varied skill levels in the market, it has becoming particularly difficult for the covered entities. We recommend financial service organizations perform a Cost and Benefit analysis to identify time-based strategic objectives, and align them to the tactical initiatives. Outsource the “blocking and tackling” activities to competent vendors, take advantage of cutting-edge security solutions and experienced cybersecurity talents, and manage Service Level Agreement and KPIs with vendors to deliver results that support the strategic direction of the company.
For more information on this topic, or to learn how Baker Tilly financial service specialists can help, contact our team.