4.10.23 > Chris Buse
Chief Information Security Officers (CISOs) face a daunting challenge: keeping abreast of and demonstrating compliance with constantly changing compliance requirements. CISOs frequently use the term “compliance bar”, which implies that there is single set of regulatory guidance to pick up and read. That is not the case. A significant challenge is normalizing requirements from numerous state and national regulators, none of which use common nomenclature. In effect, every CISO must create and maintain his or her own compliance bar.
The Bar Keeps Rising
The common themes of regulators in the financial services sector are more granular rules, more reporting requirements, and more external validation of controls. Each of these “mores” means more cost.
A primary regulator for financial service organizations is the New York State Department of Financial Services (NYDFS). NYDFS regulators are proposing major changes to NYDFS Part 500 Cybersecurity Requirements for Financial Services Companies. The proposed changes include:
• Many new technical security controls;
• Annual audits of cybersecurity programs;
• An independent risk assessment every three years;
• Special requirements for company leaders and Board members;
• More granular policies and procedures;
• Requirements to maintain a complete and accurate asset inventory;
• Increased cyber incident notification requirements; and
• New business continuity regulations.
Other regulators have similar proposals. For example, the Securities and Exchange Commission is undertaking an effort to expand its cyber-related regulations. There also are new state-level regulations that outline cyber requirements to protect personally identifiable information. Proposed regulations by the new California Privacy Protection Agency will set a new bar in this area for many organizations.
Is This Trend a Good Thing?
Some CISOs look at new regulatory requirements with disdain. However, I would argue that they promote fair competition for organizations that take cyber seriously. The presumption, of course, is that new regulations make sense and align with generally accepted best practices.
To illustrate, proposed NYDFS regulations will mandate use of a privileged account management solution to protect our most sensitive accounts from takeover. They also will require deployment of an endpoint detection and response solution, such as Crowdstrike, to thwart the introduction of malware. Also included in the NYDFS proposal is a centralized solution to aggregate and foster real time analysis of event data. These and other provisions come with a hefty price tag. However, organizations that take cybersecurity seriously already have these controls. Codifying generally accepted best practices simply levels the competitive playing field for all organizations that manage sensitive financial data.
Will This Ever End?
The short answer is that nobody knows. With history as my guide, this CISO believes that unscrupulous people will continue to search for innovative ways to commit cybercrimes. Therefore, companies that take cyber seriously will need to continue investing in better tools in what has become unending game of whack a mole. And of course, regulators will continue doing what they do best; promulgate regulations.
I look forward to a healthy debate about the role of regulators at the upcoming 13th Annual Cyber Security Summit, a place for industry thought leaders.
Christopher Buse SVP, Chief Information Security Officer, Old Republic
Christopher Buse serves as Chief Information Security Officer for Old Republic National Title Insurance Company. In this capacity, Christopher is responsible for designing and implementing the enterprise security architecture for the company.
Christopher also served as Assistant Commissioner and Chief Information Security Officer for the State of Minnesota’s central technology agency, known as MN.IT Services. Christopher’s career in government also included several roles in the Minnesota Office of the Legislative Auditor, where he oversaw information technology audit work done on large government computer systems.
Here’s a handy link to Chris Buse’s Think Tank Advisor Profile here at the Summit https://www.cybersecuritysummit.org/speakers/christopher-buse/
You can connect with Chris on LinkedIn at https://www.linkedin.com/in/christopher-buse-7a47404/