Risk managers face more prescriptive cyber rules

Data protection rules in the EU and US are becoming more prescriptive as governments look to tackle the rising cyber threat, according to a panel debate hosted by Advisen. The webinar highlighted two significant data protection laws currently being implemented on both sides of the Atlantic. From 1 March 2017, minimum cyber-security regulations for banks and insurers are to be applied by the New York State Department of Financial Services (NYSDFS), while the EU General Data Protection Regulation (GDPR) is due to come into force in May 2018. According to Eric Hodge, director of consulting at CyberScout, the GDPR and NYSDFS rules are further evidence of a trend towards cyber regulation, rather than private sector best practices and standard setting. They are also evidence of a shift towards prescriptive controls rather than risk-based regulation, he said. Private sector initiatives, such as the Payment Card Industry Data Security Standard, can work well, but given the number of successful cyber attacks, governments will increasingly conclude that the private sector is not doing enough, said Mr Hodge. “This is the beginning of a movement to give more prescriptive public sector guidance,” he said during the webinar. For example, the NYSDFS’s Cybersecurity Requirements for Financial Services Companies rules make “stipulations not yet seen” in other regulations, said Mr Hodge. They require firms to designate a chief information security officer and maintain an audit trail for cyber security events, as well as set rules for risk assessments, reporting and reviews of access privileges. Mr Hodge welcomed the clarity that the NYSDFS rules and GDPR will bring, but warned that there are challenges. “There are stipulations [by the NYSDFS] that will better apply to large organisations. The one-size-fits-all approach could be challenging,” he said. Also speaking on the webinar, Melissa Ventrone, partner at law firm Thompson Coburn, said that the GDPR and NYSDFS rules are broad in application. Firms with smaller IT and security budgets may struggle to meet their requirements, she said. She also questioned whether prescriptive rules will have the flexibility to adapt to changes in the cyber threat, technology and business operating models. “The guidance is more concrete, but some companies will struggle and I question if there is the flexibility to keep up with technology,” she said in the webinar. With more prescriptive data protection rules ahead, risk management will become even more relevant, according to the panellists. Ms Ventrone said companies can become “lax” when rules are prescriptive. “Companies will still need a risk approach to cyber security” she said. David Dickson, head of Technology & Cyber at broker Safeonline, concurred. “Regulations will not be able to keep up with cyber risk, so companies will need granular risk management approaches to move ahead of regulations,” he said. Mr Dickson believes that European and other countries could follow the US and adopt some of the more prescriptive aspects of the NYSDFS’s Cybersecurity Requirements for Financial Services Companies rules, such as requirements on banks to encrypt data and prepare response plans. Mr Dickson said it is natural for other countries to follow privacy regulatory developments in the US. “Europe is looking to learn from the US and the GDPR is the first step towards harmonisation,” he said. He welcomed this “harmonising” effect. However, Mr Dickson thinks that many companies are failing to grasp the significance of the GDPR and will not be prepared come the May 2018 deadline. “The build up to the GDPR will be gradual, but compliance will fall short,” he predicted. Ms Ventrone and Mr Dickson both suggested that regulators will take some time to adjust and enforce the new rules. “It will be interesting to see if EU regulators will hit the ground running in 2018 or if they will need a period in which to ramp up,” said Ms Ventrone. Despite the trend towards more prescriptive rules, Mr Dickson and Ms Ventrone do not envisage government requiring companies to purchase cyber insurance, although it could become a contractual requirement in supply chains. Ms Ventrone noted that regulators are already beginning to ask questions about a company’s insurance arrangements when investigating a breach. While she does not expect cyber insurance to become mandatory, Ms Ventrone thinks that regulators may come to see it as best practice, and will expect a company to at least document any decision not to buy cover. Ms Ventrone and Mr Hodges said that the direction of data protection laws in the US is now less clear under President Trump’s administration. “It will take time to understand the new administration’s intent, but we will probably see a walk back of federal regulation,” said Ms Ventrone.

Risk managers face more prescriptive cyber rules

Want to read this article?

Read Next

Fitch shifts state-linked Chinese insurers to negative outlook

Singapore regulator acts to bolster cyber resilience

Aon names Sapra head of reinsurance solutions India

Supporting net zero – is it enough?

SEC climate-related disclosure rules on hold

Fitch shifts state-linked Chinese insurers to negative outlook

Singapore regulator acts to bolster cyber resilience

Aon names Sapra head of reinsurance solutions India

Supporting net zero – is it enough?

SEC climate-related disclosure rules on hold

Want to read this article?

Read Next

Fitch shifts state-linked Chinese insurers to negative outlook

Singapore regulator acts to bolster cyber resilience

Aon names Sapra head of reinsurance solutions India

Supporting net zero – is it enough?

SEC climate-related disclosure rules on hold

Related Articles