Rick: In 2016, the New York Department of Financial Services (NYDFS) issued a cybersecurity regulation that went into effect in 2017 and covered entities, which are insurance companies, insurance brokers, producers, agents, and a variety of other entities, New York state-chartered banks, check cashing companies, etc. In 2021, they started enforcing it and fined a number of companies on consent orders with remediation plans and programs that were intense.
Ron: The NYDFS standards are specific. For example, the 23 NYCRR part 500 is fairly comprehensive. It is one of the first standards that specified a qualified chief information security officer (CISO). NYDFS expects there to be somebody who can manage the security program for the organization, somebody with the right experience from a technical perspective, with the right experience from a business executive perspective, somebody that can marshal the organization to be in the best state of protection of their data. The CISO has to give a report to the board and not just a committee. This requirement is being replicated in regulations like GLBA (Gramm-Leach-Bliley Act) and DOL (Department of Labor), and the SEC (Securities and Exchange Commission) will most likely follow.
One of the main commonalities in these regulations is multifactor authentication. You will also see this requirement in your application for cyber insurance. By creating a more robust monitoring perspective or a more robust dynamic defense methodology, it will put you in a better position to encounter things that maybe in the past have been difficult to do. For example, we’re working with an organization that was a victim of a zero-day exploit. There wasn’t a counter security patch that was available to a particular specific system on the edge. Without a defense-in-depth monitoring methodology, it’s very difficult to combat. Bad actor groups will exploit those edge devices more and more to the point where they might even be trying to look for their own zero days and using those to make a big score. Without defense-in-depth monitoring, you can fall victim to zero day, which we’re going to see more and more.