Financial Sector Regulators Expanding Scope of Cyber Security Audits
bTrade has written before about cyber security risk assessments. We also covered the topic on our Twitter feed (@bTradeLLC) during National Cyber Security Awareness Month (#CyberAware). We would be remiss if we didn’t let MFT Nation readers know about a New York agency in the financial sector that is actively pushing for new regulations governing a variety of cyber security topics, including risk assessment.
To “promote greater cyber security across the financial services industry,” the New York State Department of Financial Services (NYDFS) announced late last year that it would be “expanding” its IT audits to “focus more attention on cyber security.” The expanded audit scope includes an examination of a broad array of relevant cyber security items, including the qualifications and management of an entity’s employees and third party vendors who are performing cyber security functions, steps taken to protect against intrusion, and cyber security insurance coverage.
NYDFS also advised that it would not even schedule a cyber security audit until a company has completed a “comprehensive risk assessment.” To aid in the assessment, each institution is required to submit a 16-part, detailed report describing its information security processes, including the systems in place to safeguard information, patch management programs, and “vetting, selecting, and monitoring third-party service providers.”
Earlier this month, the NYDFS published a letter that it addressed to a group of financial sector agencies/associations at both the federal and state level. After offering an opinion that cyber security is “among the most critical issues facing the financial world today,” NYDFS describes the results of its cyber security audits, as well as other steps it has taken to “highlight and identify existing and emerging cyber security risks at banks and insurance companies.” NYDFS also discusses several “broad conclusions and concerns” that emerged from the risk assessments.
It would be worth your time to review the entirety of the NYDFS letter because the MFT Nation staff have the feeling that NYDFS’s audit/risk assessment processes will likely spread to other states. In fact, NYDFS made such a recommendation in its letter: “The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues.”
If you have any questions about this post or the cyber security risk assessment process, please send a confidential email to email@example.com.
I came across a Corporate Counsel article with a title of “How to Secure Data from Hackers.” Data security is a topic near and dear to hearts of all bTraders and MFT Nation readers, so we decided to give it a read. The gist of the article is that corporate counsel should consider “new” data security solutions such as “encrypting your data at the data level,” which according to the author would render perimeter and internal data security solutions “unnecessary.” We discussed this among MFT Nation staffers and below are our thoughts.
Do Not Rely on a Single Security Device; Use a Layered Approach Consisting Of A Variety of Different Methods
MFT Nation staffers voiced unanimous disapproval of any approach that relies on just one security device, and we believe most IT professionals and regulators would agree. In fact, most would recommend a layered approach for a data security strategy. For example, the Federal Communications Commission (FCC) issued a Cyber Security Planning Guide which contains a section captioned “Create Layers of Security,” and in it the FCC says:
Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism – such as a password – to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.
Thus, the best data security strategy involves several different security methods deployed in a layered manner. A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.
Do Not Ignore Perimeter Defenses and Other Internal Security Methods, Because You Need to Monitor Your Data Flows As Well As Who’s Trying To Get In And Out of Your Network
MFT Nation staffers tried but could not think of any situation that would render “firewalls, DLPs and other perimeter and internal security solutions unnecessary,” as the Corporate Counsel article suggests. Without such tools, an organization would be blind to vulnerabilities on its network and could not monitor its data flows or who’s trying to get into and out of the network. In fact, regulators have sanctioned companies for failing to deploy and/or properly use network monitoring tools, reasoning that such tools could have eliminated or reduced the risk of a data compromise.
Thus, network monitoring tools are a necessary component of a layered approach to data security. bTrade’s TDXchange has functionality that would help in that regard, including end-to-end message tracking, reporting, and real-time alerts. It has fully operational monitoring features in the GUI and a set of dashboards that enable real-time monitoring of file transfers, both textually and graphically. Also, dashboards permit users to track key data (messages, transactions, participants, mailboxes, certificates, services, connections, etc.).
Encryption is an Essential Security Tool, but Be Aware That Not All Encryption is Created Equal
In its Cyber Security Planning Guide, the FCC recommends use of encryption as an “essential data protection technology.” MFT Nation staffers wholeheartedly agree with the FCC, but we disagree with the assertion in the Corporate Counsel article that encryption is a “new” solution. As the FCC said in its Cyber Security Planning Guide: “Encryption has been used to protect sensitive data and communications for decades.”
MFT Nation staffers also want to warn readers that not all encryption is alike. For example, companies have incurred the wrath of regulators for “using only an insecure form of alphabetic substitution that is not consistent with, and less protective than, industry-standard encryption.” Even strong methods of encryption won’t protect your data if it isn’t configured properly, as one company learned when regulators challenged its encryption methods.
We should also point out the following warning noted in boldface in the FCC’s Cyber Security Planning Guide: “Because not all levels of encryption are created equal, businesses should consider using a data encryption method that is FIPS-certified (Federal Information Processing Standard), which means it has been certified for compliance with federal government security protocols.” bTrade customers have the comfort of knowing that the encryption modules used in bTrade’s software solutions are FIPS-certified.
Data Security is a Journey, Not a Destination
That is the title of an earlier MFT Nation piece. We repeat it here to emphasize that achieving a secure IT environment is not a “one and done” proposition. Data security is a dynamic process which requires strategies that must evolve in the face of changing risks. As such, the best approach for detecting and preventing unauthorized access to sensitive information is by deploying multiple data security mechanisms in a layered manner.
This is the last in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month (NCSAM). As mentioned previously, bTrade is examining documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned of what “not-to-do” when it comes to data security. This post will examine not one, but three separate cases involving two private companies from different industries as well as a government entity that was the subject of what some call the “most devastating cyber attack in our nation’s history.”
HIPAA Settlement Underscores the Vulnerability of Unsupported, Out-of-Date Software
An investigation was opened by Health and Human Services, Office for Civil Rights (OCR), after Anchorage Community Mental Health Services (ACMHS), a nonprofit mental-health care provider, gave notice of a breach involving malware that compromised unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR’s investigation revealed that ACMHS failed to: (1) conduct “accurate and thorough” risk assessments; (2) implement policies and procedures to safeguard its e-PHI; and (3) implement “technical security measures to guard against unauthorized access to e-PHI” such as installing firewalls and ensuring that “information technology resources were both supported and regularly updated with available patches.”
ACMHS agreed to settle potential violations of HIPAA’s Security Rule by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. The corrective action plan requires ACMHS to report on the state of its compliance to OCR for a two-year period.
What is the lesson learned from this data security case study? Although multiple violations were alleged, OCR’s public statements focused on just one of ACMHS’s data security problems–running unsupported, out-of-date software. For example, in a public bulletin issued after the settlement, OCR said the data security breach was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.” OCR Director Jocelyn Samuels echoed these same sentiments:
Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.
SEC Settlement Underscores the Need to Adopt Written Policies and Procedures to Safeguard Customer Information
The Securities and Exchange Commission (SEC) censured and fined a St. Louis-based investment advisor, R.T. Jones Capital Equities Management, for not having required data security policies and procedures in place. According to the SEC’s order, R.T Jones stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted Web server. The server was attacked by an unknown hacker who gained access and copy rights to the data on the server rendering the PII vulnerable to theft.
Without admitting or denying the SEC’s findings, R.T. Jones agreed to pay a $75,000 penalty to settle charges that it violated the “safeguards rule” because it “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information. For example, the SEC alleged that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server or maintain a response plan for cybersecurity incidents.
What is the lesson learned from this data security case study? In a prepared statement, Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, provided the lesson:
As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.
OPM Lawsuit Underscores the Need, in Certain Situations, to Shut Down and Start Over
An FAA employee recently filed a federal court class action lawsuit arising out of multiple cyber-breaches of systems at the U.S. Office of Personnel Management (OPM). OPM provides investigative products and services for over 100 federal agencies to use as a basis for suitability and security clearance determinations. According to the lawsuit, hackers compromised the security of at least 21.5 million individuals and top lawmakers described the breach as the “most devastating cyber attack in our nation’s history.”
What do plaintiffs allege that OPM did wrong? Plenty, according to OPM’s Office of Inspector General (“OIG”), the agency required under federal law to conduct annual audits of OPM’s cyber security program and practices. OIG identified “material weaknesses” as far back as 2007 that OPM not only failed to cure, but in many areas OPM’s performance actually got worse. According to a 2014 OIG report, the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.” As a result, the OIG concluded that OPM’s software systems were so vulnerable that OPM should consider “shutting [them] down.”
What is the lesson learned from this data security case study? Although this saga has not yet played out since the lawsuit was only recently filed, we now know that certain data security systems can be so bad that the best solution is to “shut them down” and start over. At this point, it appears OPM’s problems result from the horrible operations of a government agency and its incompetent staff, rather than with technology or policies/procedures.
So stay tuned on this one because we guarantee it will produce lessons of what not-to-do when it comes to data security. bTrade’s MFT Nation will keep you updated on events as and when they occur.