So many different IT systems and devices, so little time for compliance. Small and medium-sized enterprises (SMEs) represent up to 99% of national economies and a huge market for IT products. The wide variety of systems in use in the SME sector makes it a breeding ground for vulnerabilities and cyberattacks. Yet so far, suitable solutions to help SMEs be compliant in information security have been lacking.
SMEs are generally budget constrained and have little time to stay on top of IT configurations and security settings. Regulators remain unsympathetic – information security is a cost of doing business. Companies that do not audit or assess their security or cannot otherwise prove appropriate information security controls are subject to fines and sanction, putting their hard earned reputations at risk. Automating monitoring and reporting of system and device compliance can make a significant difference. It can reduce effort and increase reliability, helping SMEs meet their compliance obligations more easily and cost effectively, while reinforcing the confidence of their partners and clients.
Compliance and Security Challenges Facing SMEs
On its own, one small or medium-sized business may not have a large IT installation. IT infrastructures and security profiles, however, will vary considerably from business to business. What makes one company compliant cannot be copied over to another company. Even 1% of noncompliance can then be enough to make a company vulnerable to cyberattacks or incidents, which is why auditors are so fastidious when they check.
IT vendors do not always help matters either. Their IT products are usually destined for a wide range of uses, meaning that restrictive security settings may not be part of default configurations. Some vulnerabilities even exist right ‘out of the box’. Between new and legacy systems, there are hundreds of types of machines. According to end-user needs, there are then thousands or more possible configurations. This complexity increases yet again with combinations of cloud systems and on-premise data centers, as well as other devices used by external users and advisory networks that all need to be connected.
To compound the problem, the specialist knowledge to ensure compliance is lacking in many SMEs. Even when an SME has employees who know about compliance with industry standards and who know about information technology, there is no guarantee that all this knowledge exists in one person. Different individuals often have separate areas of expertise, leaving a gap between regulatory requirements and IT actions.
Options for Assessing and Improving Compliance
Unlike annual fire safety inspections, information security compliance is a continual activity. IT vendors constantly update the versions of their operating systems and systems, making a compliance a moving target. Cybercriminals are a round-the-clock threat. Thanks to internet, hackers from halfway across the world can threaten a company’s data center, day and night.
There are several ways that SMEs might approach their information security compliance, each with its limitations. There is unfortunately no “silver bullet”. A better solution is a program that combines different approaches, using the advantages of each one and avoiding or compensating for the limitations. Here are some primary elements:
Smart Automation, Key to Efficiency and Affordability
Vulnerability scans and checklist assessments, coupled with periodic controls assessments, stand out as the approaches with the potential for covering the most compliance at the least cost. This is largely due to the possibilities of automating them and the extensive databases of information available for use with them. What cannot be automated will need to be accomplished manually. Examples include penetration testing and security hardening of proprietary developments that do not feature in standard checklists. These automated and manual procedures should also be integrated into a larger information security program for prevention and remediation of IT security threats and incidents, with end user security awareness training, endpoint protection, firewalls, SIEM, intrusion detection systems, and other measures as appropriate.
As well as offering wide coverage for compliance and the software audit trails to prove it, there is another advantage to automated solutions. They force hackers and cybercriminals to ‘up their game’ or to seek another easier target. In many cases, attackers choose the second option, preferring not to waste time attacking an organization that has already extensively checked and corrected vulnerability and compliance issues. Automated checking can also be extended across onsite and in-cloud systems, as well as mobile computing devices such as smartphones, tablets, and laptops. In addition, automated solutions may offer benchmarking to show how an organization’s security posture compares with the rest of the industry. Good posture makes for good public relations. This can help improve the organization’s corporate image as being secure and responsible in matters of information and data protection and privacy.
For SMEs or other organizations with limited technical expertise in-house, an automated solution for information security compliance must also offer suitable user-friendliness. Administrators or users should be able to see the security and compliance status of their company at a glance, for example, via an intuitive dashboard. They should also be able to easily achieve optimal security settings across systems and devices, independently of their location. Continually monitoring configurations, the solution must also immediately alert users or management to changes in configuration, especially those that result in non-compliance. Additional functionality such as checking that necessary security scans are being done regularly and verification of disk data encryption can also contribute to a well-rounded view for an SME of its security and compliance posture.
Responsibilities and Results
While smart software can go a long way to help ensure compliance and security, the organization and its users always retain the final responsibility. An automated solution can find issues, flag them, and even suggest ways to remediate them. Users then make or authorize suitable changes. A software solution does not in itself guarantee compliance, although it can provide valuable records of compliance settings and changes.
Nonetheless, all enterprises and organizations, and SMEs especially, can take advantage of such a solution for faster, better, more affordable compliance and security checking. By leveraging vendor and government checklist data and monitoring IT security essentials effortlessly via a suitable software application, they can meet requirements of auditors and regulators and significantly reduce the risks of IT system and network attacks.
Not In Compliance With NYDFS’s Cybersecurity Regulations? Helpful Guidance From HLC On What To Do Now.
You have been busy. Your company has clients to service and business to win. Maybe you were vaguely aware of the New York State Department of Financial Services’ (“NYSDFS”) cybersecurity regulation that went into effect last March but now the deadline has passed for filing the cybersecurity annual certification and you did not submit. Not only that, but maybe you didn’t do anything to comply. Of course, there is also the reminder you recently received from New York State underscoring your non-compliance….
The first step is obvious: deflect blame. Target prospects include anyone from your organization, your vendors, politicians, lawyers (obligatory), and New York State itself.
If you have already received the notice, then it is likely that you need to comply. There has been some confusion about the need for individuals to comply versus firms, since the requirements apply to both. Covered companies may comply on behalf of affiliates, subsidiaries, employees, and contracted individuals (e.g., registered representatives) but may not comply on behalf of third party providers that are entities. This means that third party providers who are regulated by NYSDFS may still be subject to the regulations even if they have employees who are in compliance through the information security program of another Covered Entity.
Another important point to remember is that it does not matter if you are located out of state. If your firm must register with the NYSDFS to conduct covered businesses within New York, then you must comply with the regulations.
Is My Business Partially Exempt?
After you have determined that you are subject to the regulation, the next question you need to ask is whether you are eligible to file for a partial exemption (which you may also be delinquent on…sorry). If you are, then you only must comply with the major requirements indicated by the red boxes below. If you are not, then red and blue are your colors.
Partial exemptions are available if your firm: (i) has less than ten employees and contractors; (ii) less than $5mm in gross annual revenues; (iii) less than $10mm in year-end total assets; OR (iv) if your firm effectively has nothing to do with Nonpublic Information, as defined in the regulations.
If you know you are covered by the law, qualify for an exemption and have not filed, then you should do so now. Log in here:
https://myportal.dfs.ny.gov/web/cybersecurity and file now…I’ll wait.
Whether or not you are exempt, the next step is to start to comply and first step there is to get an information security risk assessment done. This is not a DIY project unless you have in house information security professionals. You should hire an experienced cyber security assessment firm to assist. In addition, if you are not partially exempt, you will need to ensure that a vulnerability scan and penetration test is done on your systems. Even if you are not partially exempt, you should perform vulnerability scanning and penetration testing anyway as it is an industry best practice for any information security program.
The risk assessment is generally the first step towards assessing where your gaps are and a security program, if not in place already, is best to flow from the results of a risk assessment. The assessor should also provide your firm with a prioritization map to facilitate your response. In addition, a qualified third party information security risk assessor should be able to provide your firm with direction as to how it can address the gaps identified, including those specifically required by New York’s regulations.
While a risk assessment is in process, you should also assess (or compile) your policies and procedures since this process will require your active engagement from the beginning. Do not simply adopt off the shelf information security policies and procedures without fully understanding how they will apply within your organization. The regulations require that your policies be based on the findings from the risk assessment, so if your firm just adopts form policies without any review or customization, it is effectively documenting non-compliance with the regulation. Again, you should consult experienced third parties with regards to crafting such policies.
The areas that your policies will need to cover include:
Once you have established your course of action as set forth above, you should reach out to NYSDFS and advise that your compliance certification will be delayed but you are taking the above actions (excepting blame deflection) to correct.
Having managed to correct this one lapse, make sure to keep an eye on the forthcoming regulatory timelines. Implementation of controls respecting audit trails, data retention, data encryption, application security and user monitoring is required by September 3rd of this year. By March of next year, covered firms will need to certify that they have implemented a Vendor Risk Management program.
In February, 2015, HLC’s “The Convergence of AML and Cybersecurity” post noted “customer activity that may be a possible basis for a Suspicious Activity Report (SARs) should also be viewed as a potential information security breach…similarly, a detected cybersecurity breach may be the first indicator of a financial crime.”
Last week, the SEC’s Office of Compliance, Examinations and Inspections (“OCIE”) released its third cybersecurity National Examination Program Risk Alert (the “September Alert”) inside of eighteen months, heralding in a second round of cybersecurity sweeps and greater general examination focus on the issue.
On February 2nd, the SEC, FINRA and the North American Securities Administrators Association (NASAA) all released cybersecurity reports and alerts.
As in past years, the SEC and FINRA (as well as other regulators) released their examination priorities for 2015 in early January. Compliance and legal professionals can now pore over the language of these priorities to assess where their firms need to focus in the coming year. While there may be more than one candidate for top honors, cybersecurity has emerged as an area that will receive increased scrutiny from regulators in the year ahead.
In late June, BAE Systems revealed that it had stopped an ongoing cybercrime whereby cybercriminals had installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers.
As the General Counsel for a then fledgling exchange, Direct Edge, at the end of 2010, I was not completely prepared for the level of regulatory scrutiny that the Securities and Exchange Commission’s office of Automation Review Procedure (ARP) would dedicate to our information security program following the discovery that hackers had infiltrated Nasdaq’s Directors Desk systems and were spying on the confidential communications of public company directors over a prolonged period.