The Rise of the Regulators in Cybersecurity
Back in February 2013, President Obama signed an Executive Order entitled Improving Critical Infrastructure Cybersecurity. This asked US regulators in a long list of industries – finance, healthcare, utilities and so on – to review whether their powers in the realm of cybersecurity were “sufficient given current and projected risks,” and to take action if not.
Fast forward by two-and-a-half years, and organizations in those industries are now finding themselves faced with a much more rigorous regulatory regime than ever before. In the continued absence of robust cybersecurity legislation from Congress, we’re seeing more and more rulemaking by government agencies, and therefore more and more compliance mandates for the industries they regulate.
This rise of the regulators is a potential problem for US organizations for a few different reasons.
Most obviously, it creates a workload that wasn’t there previously. In the financial services sector, for example, the SEC has instigated the Cybersecurity Examination Initiative and issued broker-dealers an extensive – but not exhaustive – list of the measures and safeguards its auditors will look for. Working through this checklist will cost organizations a significant amount of time and money, and may not even satisfy the full scope of their requirements; the sector’s other regulatory agencies might interpret their responsibilities differently, for example.
Beyond that, there’s the now well-established fact that compliance is not security. Time and time again, organizations that have passed compliance audits are breached within months of meeting their requirements.
Regulators are checklist-driven. Cybercriminals are not. A sophisticated attack won’t be obstructed simply because a mandate for up-to-date antivirus software was checked off a list somewhere. The existence of a rigorous regulatory regime means that organizations potentially have a large portion of their cybersecurity spending dictated for them, and not necessarily in the way that most effectively keeps hackers out of their networks. The right tools and technologies for the job may be entirely absent from the regulator’s checklist.
Ensuring Both Compliance and Security
All of this puts US organizations in regulated industries in a difficult position. On the one hand, the regulators are becoming more demanding and compliance more resource-intensive. On the other, cybercriminals are becoming more prolific and sophisticated, and defy this checklist-oriented, baseline approach to cybersecurity.
Theoretically, these two problems can be solved independently of each other. It’s rare that an organization will be well enough resourced to do so, however. This creates a need for solutions that both provide the best possible protection for digital assets and satisfy the requirements of whatever regulatory regime is in place, effectively and efficiently.
A good example of this is in the area of access control and auditing. Regulators often ask organizations to produce reports demonstrating that only authorized personnel have access a given resource, and that this access is only granted for an authorized purpose. See the following examples from the SEC’s checklist for broker-dealers:
“The Firm maintains controls to prevent unauthorized escalation of user privileges and lateral movement among network resources. If so, please describe the controls, unless fully described within policies and procedures.
The Firm restricts users to those network resources necessary for their business functions. If so, please describe those controls, unless fully described within policies and procedures.”
Traditionally, this would mean firewalling the network, ensuring that user groups are aligned to business functions, logging everything and then relaying this information to the auditor. It’s obviously simpler to deploy a solution that has both the principles of need-only access and global audit logging and reporting built into its core.
It remains to be seen how cybersecurity regulation – and indeed, legislation – in the US will evolve and mature in the long run. For now, though, the rise of the regulators is clearly something that organizations need to pay close attention to when they source and deploy new defenses against cyber threats.
Learn more about how Cryptzone’s secure access, data security and content governance solutions can help you comply with your industry’s regulatory regime at the same time as keeping your digital assets safe from cybercriminals.