Regulators: The Compliance Bar—and Costs—Keep Rising
May 24, 2023
By Christopher Buse
Chief information security officers (CISOs) face a daunting challenge: keeping abreast of and demonstrating compliance with constantly changing compliance requirements. CISOs frequently use the term “compliance bar,” which implies that there is single set of regulatory guidance to pick up and read. That is not the case. A significant challenge is normalizing requirements from numerous state and national regulators, none of which use common nomenclature. In effect, every CISO must create and maintain his or her own compliance bar.
The Bar Keeps Rising
The common themes of regulators in the financial services sector are more granular rules, more reporting requirements and more external validation of controls. Each of these "mores” means more cost.
A primary regulator for financial service organizations at the state level is the New York State Department of Financial Services (NYDFS). The regulator has proposed major changes to NYDFS Part 500 Cybersecurity Requirements for Financial Services Companies. The proposed changes include:
- Many new technical security controls.
- Annual audits of cybersecurity programs.
- An independent risk assessment every three years.
- Special requirements for company leaders and Board members.
- More granular policies and procedures.
- Requirements to maintain a complete and accurate asset inventory.
- Increased cyber incident notification requirements.
- New business continuity regulations.
Other regulators have similar proposals. For example, the Securities and Exchange Commission is undertaking an effort to expand its cyber-related regulations. There also are new state-level regulations that outline cyber requirements to protect personally identifiable information. Proposed rules by the new California Privacy Protection Agency will set a new bar in this area for many organizations.
Is This Trend a Good Thing?
Some CISOs look at new regulatory requirements with disdain. However, I would argue that they promote fair competition for organizations that take cyber seriously. The presumption, of course, is that new regulations make sense and align with generally accepted best practices.
To illustrate, proposed regulations by the NYDFS will mandate use of a privileged account management solution to protect our most sensitive accounts from takeover. They also will require deployment of an endpoint detection and response solution, such as Crowdstrike, to thwart the introduction of malware. Also included in the NYDFS proposal is a centralized solution to aggregate and foster real time analysis of event data. These and other provisions come with a hefty price tag. However, organizations that take cybersecurity seriously already have these controls. Codifying generally accepted best practices simply levels the competitive playing field for all organizations that manage sensitive financial data.
Will This Ever End?
The short answer is that nobody knows. With history as my guide, this CISO believes that unscrupulous people will continue to search for innovative ways to commit cybercrimes. Therefore, companies that take cyber seriously will need to continue investing in better tools in what has become un-ending game of whack a mole. And of course, regulators will continue doing what they do best—promulgate protocols.
I look forward to a healthy debate about the role of regulators at upcoming ALTA events.
Christopher Buse is senior vice president and chief information officer for Old Republic National Title Insurance Co. He serves on the ALTA Information Security Work Group. Buse can be reached at [email protected].
Contact ALTA at 202-296-3671 or [email protected].