New York State Cyber Security Law Heavy on GRC and Proactive Cyber Security

The first phase of the New York state cyber security regulations, which apply to insurance companies, banks, and other financial institutions operating within the state, went into effect at the beginning of March. While the insurance and finance industries are already subject to numerous cyber security-related standards and regulations, New York’s legislation represents the first time a state has mandated specific cyber security requirements.

Breaking Down the Requirements

If you want to read all 14 pages and 23 sections, you can download a PDF copy of the regulations here. The requirements, which are being phased in over a two-year period, mandate that organizations engage in proactive cyber security and GRC practices, such as:

• Conducting a comprehensive risk assessment and using the results to design and implement a cyber security program, a written cyber security policy, and a written incident response plan. Further, a separate cyber security policy must be established for third-party service providers.
• Designating a Chief Information Security Officer (CISO) and employing “qualified cybersecurity personnel,” either in-house or through a third-party provider, to perform information security-related functions.
• Providing all employees with ongoing cyber security awareness training, and providing cyber security employees with continuous training to keep them current in their field.
• Performing periodic penetration testing, vulnerability assessments, and risk assessments.
• Establishing appropriate system user access privileges, maintaining system audit trails, and utilizing technical controls such as multi-factor authentication and data encryption.
• Adhering to certain reporting, notification, and confidentiality requirements.

SMBs Fret Over Complying with New York State Cyber Security Law

Most affected organizations have until August 28, 2017, to implement the first phase of the New York State cyber security regulations, including the cyber security policy, employee training program, incident response program, designating a CISO, and hiring qualified cyber security employees. Despite the fact that smaller firms – those with fewer than 10 employees and less than $10 million in assets and $5 million in gross revenues – are exempt from certain portions of the law, many small and medium-sized businesses are worried about their ability to comply.

Although the new law mirrors numerous existing cyber security frameworks and standards, such as ISO 27001, FFIEC, GLBA, NIST CSF, and OCC, as well as guidance from the FTC, many organizations have neglected information security for years. These firms will need to do some serious catching up – and they are not going to get away with simply updating a couple of lines in their existing policies or appointing the office manager the “CISO.” They will need to completely shift their mindset, overhaul their cyber security governance, policies, and plans, implement specific security controls and, in many cases, drastically increase their security budgets to pay for all of these changes.

Even for organizations that grasp the importance of proactive cyber security, compliance concerns are warranted. Not only are the law’s requirements quite involved, but they also require that firms hire or contract with qualified cyber security experts and a CISO. There is simply no getting around seeking out expert help. Meanwhile, there is a severe shortage of workers with cyber security skills. ESG Research reports that nearly half of all organizations cited “a problematic shortage of cyber security skills in 2016.” Even when organizations can locate qualified talent, they must pay top dollar to attract it. The New York state cyber security regulations are expected to shrink the talent pool even further and drive salaries even higher as multinational Wall Street finance companies with deep pockets snap up security analysts and engineers.

Automation and Outside Help Are Keys to Compliance

Most SMB’s, as well as more than a few large businesses, will find that hiring in-house cyber security talent is out of reach. The labor costs alone will break many smaller firms’ budgets – if they can even find qualified workers in the first place. Fortunately, organizations may fulfill the law’s personnel requirements, including the requirement for a CISO, by enlisting the services of a professional cyber security firm such as Continuum GRC. Outsourcing your organization’s cyber security and compliance ensures that you get the expert talent you need immediately and at a price that is far lower than hiring in-house employees. Further, your organization would not have to shoulder the burden of the continuous cyber security training that is required by the New York law.

Automation is also critical. Many organizations still use spreadsheet programs for their IT audits, compliance, and reporting. This time-consuming, inefficient, dysfunctional practice has been outdated for years – and the New York regulations are going to expose its weaknesses even more clearly. Now more than ever, organizations of all sizes must ditch manual IT audits, reporting, and GRC processes and use RegTech software such as Continuum GRC’s IT Audit Machine (ITAM IT audit software). The ITAM IT audit software can help you comply with the New York cyber security law by integrating your IT governance, policy management, risk management, compliance management, audit management, and incident management; creating, measuring, monitoring, and managing your IT governance programs; and providing clear visibility into key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

New York Cyber Security Law Expected to Be Model for Other Industries & Localities

Even if your business is not located in New York state or operates outside of the finance and insurance industries, it is likely that these new regulations will eventually impact your business. First, because of the international reach of the finance and insurance industries in New York, other states and even other countries are expected to use the law as a model as they seek to stem the tide of data breaches, identity theft, and other forms of cyber crime. Second, the New York State cyber security regulations heavily emphasize governance, risk, and compliance processes that all organizations should be engaging in anyway, as part of their proactive cyber security plan.

Your organization does have a proactive cyber security plan, doesn’t it?

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with the New York Cyber security regulations and all other applicable laws, frameworks, and standards.

[bpscheduler_booking_form]

Jackpotting! Are ATMs at the end of every rainbow?

ATMs were designed to protect their cash vaults, not their computer components, which leaves them vulnerable to “jackpotting” cyber attacks.

Earlier this month, the American Bankers Association announced changes to its Bank Capture incident tracking system, which logs data on ATM attacks, as well as robberies, burglaries, and larcenies. BankInfo Security reports:

[T]he ABA has changed how ATM attacks are reported to collect more specific details, including plotting incidents on a map. It also now enables ABA subscribers to get real-time email alerts of incidents, [ABA Vice President for Payments and Cybersecurity Policy Heather Wyson-Constantine] says.

The system potentially could give banks more timely warnings that trouble may be on the way, because criminal gangs often hit a region and move to another one close by soon afterwards.

The improvements were driven by a lack of information. There’s no central repository for incident reports for attacks on ATMs, with bits of data coming from the U.S. Secret Service, ATM manufacturers and vendors, Wyson-Constantine says.

The ABA’s announcement comes on the heels of European and Asian law enforcement authorities reporting the arrests of five members of an international ATM “jackpotting” gang, code-named “Cobalt” for the security-testing software they hacked to launch their jackpotting attacks. Cobalt was responsible for about $3.24 million in thefts from ATMs in Europe and Asia in 2016.

“Jackpotting,” which was first demonstrated by the late white-hat hacker Barnaby Jack at a Black Hat Conference in 2010, refers to hackers installing malware on an ATM, either remotely or by physically accessing the machine, that allows them to command it to spit out large sums of cash. Commonly, hackers committing a jackpotting attack take control of the ATM’s diagnostic utilities to either (1) prompt the machine to open its safe or (2) alter the denomination codes so that the ATM “thinks” that it is dispensing the smallest possible bank notes ($5.00 or $10.00) when it is actually dispensing the highest possible denomination ($20.00, $50.00, or $100.00).

The Cobalt jackpotting group planted malware on ATMs remotely, via a spear phishing campaign that allowed them to access the targeted banks’ networks, then snake their way to the ATMs. They then recruited teams of “money mules” to travel to the machines and physically collect the cash, allowing the hackers to hit many machines in numerous areas very quickly.

ATMs Highly Vulnerable to Jackpotting

The invention of the ATM transformed the banking industry as profoundly as the cotton gin did agriculture. Even with mobile banking rapidly growing in popularity, the ATM endures; there are over 400,000 ATMs in the U.S. alone, and three-quarters of Americans use ATMs as part of their daily banking activities.

ATMs have something in common with electronic voting machines: Despite the sensitivity of what they do, they are incredibly easy to hack. The typical ATM design has barely changed since they were first introduced decades ago. Because cyber security was not a concern at that time, ATMs were built to protect their cash vaults, not their computer components. Attempting to break into an ATM’s vault using brute force is nearly impossible, but breaking the flimsy locks on the cabinets that contain the computer components requires only a screwdriver – if you have to break into the machine at all. At some standalone ATMs, the computer components are completely exposed, allowing anyone to walk up and insert a malware-infected USB.

Also similar to electronic voting machines, many ATMs run operating systems that are so wildly outdated, the manufacturers no longer support them, such as Windows XP and OS/2 Warp. Additionally, some banks install unnecessary software packages onto their ATMs, such as Adobe Acrobat, which opens up more possible vulnerabilities for hackers to exploit.

Protecting ATM Machines from Hackers

The most disturbing part of the Cobalt jackpotting attacks was their international aspect. The hackers never physically accessed the ATMs; they remotely infected and controlled them from hundreds or even thousands of miles away and sought out money mules to collect the cash. Many of the mules, who were recruited online, held citizenship in multiple countries, allowing them to travel freely throughout Europe and Asia. It is not difficult to envision a scenario where a hacker in another country infects ATMs in multiple U.S. states, then recruits several teams of money mules for the cash collection.

First, ATMs must be physically redesigned with cyber security in mind. A modern ATM’s computer components are at least as valuable as its safe, perhaps even more. Easily breakable plastic cabinets, flimsy locks, and external ports must be eliminated. However, a redesign will take some time to implement. In the meantime, banks must take immediate proactive steps to secure their current machines against jackpotting, including:

• Updating all outdated operating systems and software, and removing all software packages that are not necessary for the ATM to function.
• Installing endpoint security software on all ATMs and hardware firewalls on remotely located, standalone, and “island” ATMs.
• Securing the connection between ATMs and processing centers using methods such as a hardware or software VPN, SSL/TLS encryption, a firewall, or MAC-authentication.
• Securing the entire bank network against intrusions to ensure that malware cannot be installed remotely, as in the Cobalt jackpotting attacks.
• Performing regular penetration testing on the entire network as well as the ATMs themselves, so that vulnerabilities can be identified before a jackpotting attack occurs.

Banks would also greatly benefit from employing a RegTech solution such as Continuum GRC’s IT Audit Machine (ITAM IT audit software) to assess their specific risks and vulnerabilities, then design and implement a comprehensive cyber security plan to defend against them. Because cyber security is a dynamic field, with new threats emerging every day, these assessments should be performed on a regular basis.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

How RegTech Simplifies Governance, Risk, and Compliance

Complying with standards such as HIPAA, PCI DSS, FISMA, and SSAE 16 SOC reporting is complex, costly, and time-consuming, especially for organizations that must comply with multiple standards. You may have heard the term “RegTech” mentioned as a solution. What is RegTech, and how can it help your organization save time, money, and hassle?

RegTech refers to software solutions, usually delivered in the cloud, that automate governance, risk, and compliance processes. Continuum GRC’s proprietary IT Audit Machine (ITAM IT audit software) is an example of a RegTech software solution. In the finance industry, RegTech is often thought of as a subset of FinTech. However, RegTech has applications in every industry, from healthcare to ecommerce to SaaS and cloud providers.

3 Benefits of Using a RegTech Solution for Compliance

Lower Costs

Perhaps the biggest advantage of implementing a RegTech solution is the cost savings. Compliance is not a business driver; it is a business cost. Not only do RegTech solutions directly save organizations money by eliminating “audit anarchy” and making the compliance process less expensive and more efficient, they also free up internal IT staff to work on projects that benefit the organization’s daily operations and long-term goals, fostering innovation and driving profits.

Greater Insight into Your Data

Many organizations still use Excel and other spreadsheet programs for assessment and audit work. However, Excel performs poorly when used for this purpose; it has limits on space, accessibility, presentation, sustainability and formatting and was not meant to be used to analyze very large, complex data sets. RegTech solutions such as the ITAM IT audit software eliminate “spreadsheet madness” and organize data to give you clear visibility into your organization’s key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

Peace of Mind

There is a severe shortage of cyber security and compliance professionals. Most organizations simply do not have the in-house expertise to interpret the complex requirements of industry and regulatory standards, particularly since they are continually shifting to respond to the evolving threat environment. For example, the PCI Council just released a 64-page guide updating PCI DSS best practices for ecommerce that stresses, in great technical detail, the upcoming required migration to TLS 1.1+. A RegTech solution cuts through the noise, takes the guesswork out of compliance, and ensures that organizations are always up-to-date with the latest standards, saving you from sleepless nights, wondering if your company is compliant.

RegTech in the “Era of Deregulation”

The recent election of President Donald Trump, whose campaign emphasized deregulation, has caused some experts to question the future of RegTech. However, even in a post-Trump world of relaxed regulations, RegTech will remain relevant. Consider the following:

• The political pendulum will ultimately swing in the other direction. Just as President Trump quickly obliterated many of former President Obama’s policies with the stroke of a pen, the president and Congress who follow Trump could immediately reinstate everything that was abolished during Trump’s administration.
• Individual states may respond to federal deregulation by establishing their own compliance standards, which could end up being more stringent.
• Privately established industry standards will remain in place regardless of what the president or Congress do. For example, PCI DSS is not a piece of legislation. It is a set of standards the major credit card providers require merchants and processors to follow in exchange for the privilege of accepting their cards.

It’s also important to note that RegTech isn’t just about compliance. RegTech solutions have multiple governance and risk management applications that will never lose their relevance, especially in today’s threat environment. For example, in addition to compliance and audit management, Continuum GRC’s ITAM IT audit software:

• Integrates your IT governance, policy management, risk management, and incident management so that your security protocols and policies are always aligned with the current threat environment.
• Enables an automated and workflow driven approach to managing, communicating, and implementing IT policies and procedures across the enterprise, ensuring consistency across departments, divisions, and locations.
• Provides an integrated and flexible framework for documenting and analyzing IT risks, developing mitigation plans, defining security controls, and managing ongoing risk assessments so that you can anticipate new and emerging threats and stop them before you are hacked.

Perhaps most importantly, most compliance standards are, at their core, common-sense cyber security best practices. Your customers want to know that their data is secure, and they will be hesitant to do business with your company if they do not have that assurance. Even if certain data privacy and reporting regulations are officially done away with, many organizations may choose to keep complying with them anyway, simply because their customer base demands it.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]