Of data and deadlines: The scramble for cybersecurity compliance
In light of 2017’s most severe breaches—from Equifax to Deloitte—it’s no surprise to see companies rethink their cybersecurity posture. However, it’s not just breach threats turning heads these days: it’s also the looming deadline for important cybersecurity regulations.
If you aren’t already addressing the New York State Department of Financial Services (DFS) Cybersecurity Regulation and the General Data Protection Regulation (GDPR), consider yourself behind in the “achieving compliance race.” Protecting sensitive information—everything from names and birthdays to Social Security numbers—will require a new approach. Yet most companies find themselves woefully unprepared.
According to Gartner, “More than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements” by the end of 2018. That’s particularly shocking given its expected full rollout in May. So what do these new regulations mean for banks and financial institutions? And what can you do to accelerate your ability to comply?
The state of new cybersecurity laws: Is it yours?
One state-specific law everyone should watch is New York’s Cybersecurity Regulation (23 NYCRR Part 500). Effective March 2017, it required companies to comply by August 28 that year. While the first law of its kind, expect many states to enact similar regulations in 2018 and beyond.
With this law banks, insurance companies and other financial service institutions must launch a cybersecurity program to protect consumers’ private data. This includes:
- Written security data security policy/policies approved by the board or a senior officer
- A Chief Information Security Officer to help protect data and systems
- Controls and plans to ensure the safety of data and soundness of New York’s financial services industry
Even if your state chooses not to adopt a regulation of this kind, these best practices will benefit all financial organizations. If similar steps aren’t taken and breaches occur, an organization (and its security team) can be held responsible for failing to take the right steps to protect sensitive customer data.
Going global: What is GDPR?
The other regulation you are likely addressing is GDPR, an upcoming European Union (EU) privacy measure set to take effect in May. Designed to unify and normalize the data protection framework within the EU, it requires compliance from any company with EU customers, or that targets customers there. For example, credit card information and Social Security numbers must always be protected, wherever stored. And customers have the right to revoke or correct information about themselves in a timely fashion.
Despite the talk surrounding these regulations, confusion reigns due in part to a lack of resources to properly prepare companies. This could cost them a pretty penny; repeated non-compliance with the GDPR invites fines up to €20 million ($24.8 million) or four percent of total worldwide annual turnover from the preceding financial year, whichever is higher. With stakes that high, compliance will rank as a top priority for companies in 2018—especially with GDPR.
Data centricity, front and center
IT and security teams often get a bad rap for refusing to adopt new, innovative technologies and processes. Often that’s due to valid security concerns but in today’s business landscape, time-saving tools that encourage collaboration and outsourcing customer service tasks create a competitive advantage companies can’t afford to ignore. No cure-all can protect an organization from a cyberattack. But certain steps can (and should) balance agility with keeping data safe. Improving data security makes good business and these new regulations require it. This is where data-centric security comes into play.
Once data leaves the virtual four walls of a company, traditional security protocols such as firewalls and standard file encryption no longer suffice. Protecting information at the file level with granular usage controls guarantees that protections follow the data. They also restrict what someone can do with the file, from which IP address, and for how long. Organizations that control and track granular usage can freely adopt outsourcing and file-sharing services or use personal devices without sacrificing security. And the ability to control, revoke, and track data usage—whether it sits on an outsourcer’s server, in the cloud, or on an employees’ personal device—is what GDPR and other new regulations require.
The optimal data-centric security platform unites multiple solutions that include data classification, rights management and data loss prevention solutions. As you consider your compliance approach, adopt the flexibility to select best-of-breed, data-centric solutions that allow for seamless integration. Data-centric security solutions should also smoothly connect with existing enterprise systems (including content management, transaction systems, file sharing and email) to facilitate rapid deployment and automated protection.
A data-centric security approach should inform every financial institution’s 2018 strategy. And there is good news: It’s now easier than ever to add persistent, granular usage controls to your data that help you better prepare for breaches, even as they efficiently address government regulations. All told, that amounts to quite the win-win: a business that follows the rules and rules the followers.
Want more Banking Strategies? Sign up for our free newsletter!
If you enjoyed this article, check out: How to master the biggest accounting change in banking history and Regulation overtime: How to tackle the top four areas of CECL impact.