What do Brussels, Belgium and Albany, USA have in common? The latter is a sleepy city which acts as the capital of New York State, as is Brussels for the European Union. Well, they now share another similarity. Both capitals are at the forefront of cyber regulation.
In Europe, the General Data Protection Regulation (GDPR) is in the spotlight. It has a global impact on all industries and any company who wants to do any business in Europe. This regulation has had a long buildup and soon comes into effect in May 2018 with some razor-sharp teeth. Basic fines surpass a couple million dollars, but for the bigger breaches we are talking scores of millions of dollars all the way up to 4% of global revenue for any organization. Ouch. It could completely wipe out profit margin in the retail industry, for example.
In the USA, the New York State Department of Financial Services (NYS DFS) issued a regulation in March that is as stringent as GDPR. Titled 23 NYCRR 500, it is now partially in force with the rest to be phased in over the two-year period since its introduction. Its scope does not reach the financial services institutions that are regulated at the state level – mostly insurance carriers – that do business in New York. A breach of NYS DFS regulations could terminate any business in New York. That’s even more painful than a huge fine, and with longer term implications for jobs and reputations. This places greater importance on strong software quality and compliance discipline.
Another similarity between the two new regulations is the role of a responsible executive. The GDPR sets forth the assignment of the Data Protection Officer (DPO), who becomes the responsible party for any organisation which employs over a certain number of employees to ensure that the data “at risk” is identified, the data processing impact analysis (DPIA) takes place and all passageways to the sensitive data are examined and protected. The NYS DFS simply specifies that affected organisations must have a CISO. Apparently, some financial services companies still don’t have a CISO. It is of little surprise then that breaches, such as Equifax, continue to make headlines.
The ‘cyber’ world has long been fixated on process and protocol, ensuring all sorts of controls are in place concerning networks, data centres, firewalls and best practices. However, this has drawn focus away from data. The GDPR is by its very definition focused on the private data kept by enterprises. All companies must practice “data privacy by design” and the customer is entitled to have control over how their data is handled, including the right to be forgotten. The NYS DFS focuses more broadly, on all companies operating data, not just customers’ Personal Identifiable Information (PII). There is also a significant emphasis on data security here.
Regulators and all security professionals should realise compliance is really all about the data. Typical security approaches are looking at the fortress walls, where the attacker might gain access. The more advanced security practitioners are now starting to think inside out instead. Start with everything that touches our data inside the firewall, whether at rest or in transit, and securing all those touch points. The quality of the software should be the first step, not just dealing with the known exploitable weaknesses. It’s the foundation that needs to be done to block attackers that have already penetrated the network defenses, or who are insiders to begin with.
Finally, both regulatory regimes are broadening the scope from a sole focus on security. There are many examples, including recent issues such as the Cloudbleed data leak, which show a security issue stemming from a fundamental software quality issue. We’ve seen sensitive data exposed, or corrupted, repeatedly due to mistakes in the code, poor database management, circular dependencies across multiple components and generally unstructured architecture. If it must be the regulators who lead the industry into a more thorough consideration of data management architecture, so be it.
While the attitude in Washington with the current administration is to lower regulatory burden overall with the view to increase trade, the situation on the street is more nuanced. What Washington doesn’t do, others will. We’ve already seen US states such as California, New York, Washington and Massachusetts take a stand on environmental issues, where China and Europe are far more advanced than the US. We’re currently witnessing Europe, Singapore and New York State lead in in cyber regulation too. Since these are all large main street and capital markets, the industry, and eventually Washington, are sure to follow.
Lev Lesokhin is EVP of Strategy and Analytics at CAST, the leader in software intelligence.