Information security is a threat for every business, but it’s particularly disruptive to the nation’s infrastructure systems. Infrastructure companies should monitor how mandatory rules play out for financial institutions. If the regulatory efforts are successful in reducing the number of financial institution cyber incidents, state and federal regulators may turn their attention to other industries.
What Financial Institution Cyber Regs Tell the Infrastructure Sector
1. Banking &
Financial Services
BY KRIS ST. MARTIN
I
nformation security is a threat for every business, but
it’s particularly disruptive to the nation’s infrastructure
systems. Transportation, communications, financial
institutions—if unauthorized users access information
related to the core industries needed for everyday activities,
it could be catastrophic.
Protecting infrastructure systems is a
top priority for regulators. In 2013,
an executive order was passed to
increase cybersecurity awareness
among the infrastructure sector.
Among other provisions, the
executive order led to the
National Institute of Standards
and Technology (NIST)
Cybersecurity Framework,
which today is one of the
gold standards for information
security protection. It also
created the Critical Infrastructure
Cyber Community Voluntary
Program to help infrastructure
industries adopt the recommendations in
the NIST framework.
The frameworks established, however, only provide
recommendations for improvements. Regulators are
weighing whether to make the best practices identified in
cybersecurity protection mandatory. Financial institutions in
particular may soon find that robust cybersecurity programs
are not optional. A closer look at the developments in
information security requirements for financial institutions
may give us a glimpse of what’s ahead for cybersecurity
regulation of other infrastructure industries—and other
companies at high risk for data breach.
Proposed Regulations in the Works
The Federal Financial Institutions Examination Council
(FFIEC) has cybersecurity recommendations for all
financial institutions. These regulations include ongoing
risk assessments and risk mitigation practices. It suggests
following software assurance industry practices for
applications and regularly evaluating third-party software
and services for unusual activity or behavior. It also has
recommendations for protecting user permissions and
cybersecurity awareness training.
In 2016, financial regulators proposed taking
things a step further. The Office of the
Comptroller of the Currency, the Board
of Governors of the Federal Reserve
System and the Federal Deposit
Insurance Company announced
proposed cybersecurity rules
for large financial institutions.
Rules would apply to any bank
or financial institution with total
consolidated assets of $50 billion
or more, or any bank or financial
institution that is a subsidiary of a
financial institution with $50 billion
or more in total consolidated assets.
Third party service providers that serve
these financial institutions would need to
implement the rules as well.
Rules, which draw heavily from the NIST Cybersecurity
framework and other cybersecurity publications, fall into
five general categories: cyber risk governance, cyber risk
management, internal dependency management, external
dependency management and incidence response, cyber
resilience and situational awareness. Comments on the
proposed rules were due by Jan. 17, 2017, but later were
extended to Feb. 17, 2017. It remains to be seen how the
proposed rules would change in a final version.
Local Cybersecurity Efforts
Another trend that may be worth monitoring is state-
mandated cybersecurity requirements. In the wake of
cybersecurity incidents that affected the New York Stock
Exchange and other New York-based financial institutions,
the state passed its own cybersecurity requirements for
(Continued on page 2)
What Financial Institution Cybersecurity
Regulations Tell Us About Cybersecurity for
the Infrastructure Sector
1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos DECEMBER 2017
2. financial institutions. Rules in 23 NYCRR 500 became
effective on March 1, 2017 for qualifying financial
institutions. It requires financial institutions to implement a
comprehensive cybersecurity program that covers 17 key
components, including:
■ A formal cybersecurity program and policy
■ A chief information security officer
■ Regular penetration testing and vulnerability
assessments
■ A cybersecurity audit trail
■ Access privileges requirements
■ Application security measures
■ Cybersecurity personnel and intelligence
■ A formal third party service provider security policy
■ Multifactor authentication for network access
■ Limitations on data retention
■ Ongoing training and monitoring
■ Encryption of nonpublic information
■ An incident response plan
■ Notices to superintendent
■ Confidentiality measures
Lessons from Financial Institution Regulation
Infrastructure companies should monitor how mandatory
rules play out for financial institutions. If the regulatory
(Continued from page 1) efforts are successful in reducing the number of financial
institution cybersecurity incidents, state and federal
regulators may turn their attention to other industries.
Organizations that have had a history of information
security threats and disruptions may also want to
consider undergoing a cybersecurity risk assessment and
penetration testing exercises to pinpoint where their current
practices are falling short. All sectors should also consider
the benefits of cyber liability insurance. Insurance policies
frequently require a minimum set of standards to be in place
to protect information security and may help keep your
organization up-to-date on cybersecurity best practices.
Related Reading
■ A Good Cybersecurity Defense Starts with People
■ The Internet of Things Makes the Future of
Cybersecurity Much More Complicated
■ Cybersecurity Check-In: 6 Questions Boards of
Directors Should Ask About Cybersecurity
If you have specific comments,
questions or concerns about
cybersecurity, you can reach
Kris St. Martin at 763-549-2267
or kstmartin@cbiz.com, or contact
your local CBIZ advisor.
KRIS ST. MARTIN
Minneapolis, MN
1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos DECEMBER 2017