Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
NYDFS Files First Suit: What You Should Know
It’s crucial that security teams establish a comprehensive incident and breach response plan that defines what constitutes an incident (thus establishing authority and accountability for action) and identifies business and legal stakeholders for escalation actions.
Cybersecurity is becoming increasingly central to regulatory compliance, with more and more attention being required to cope with new privacy laws and regulations enacted by international entities (GDPR in the European Union, Brazil’s LGPD, Canada’s PIPEDA) and multiple US state governments (led by California and New York). The challenge many organizations struggle with is understanding what cybersecurity capabilities must be in place to meet regulatory needs.
Yet some overwhelmed organizations may fail to maintain compliance through complacency or by downplaying the likelihood that a regulation will be enforced. This is naïve: we’re seeing regulators paying closer attention to how businesses are protecting consumer information and the bar is being continuously raised for privacy and cybersecurity regulatory requirements.
If your organization doesn’t typically have regulators auditing your privacy and cybersecurity program, don’t be complacent. If you have a significant security incident, especially when consumer information is involved, it’s very likely that you’ll get a call. How you handle the response will directly affect the outcome of any investigations – especially if the incident is reported to regulators or made public by an outside source.
We’re now seeing this scenario play out with New York State Department of Financial Services (NYDFS) 23 NYCRR 500. The NYDFS has filed its first lawsuit, and the complaint centers on four familiar challenges. The NYDFS alleges multiple failures by the organization, specifically charging that it:
This incident was first publicly reported by Brian Krebs in May 2019, seemingly before any report to the superintendent, which is required within 72 hours from determination that a cybersecurity event has occurred.
The NYDFS press release reinforces the governance and risk management components of an information security program, starting with the basic edict to follow company policy. The NYDFS500 requires organizations to maintain a written cybersecurity policy that’s approved by a senior officer, board of directors or appropriate committee. Policies establish the organization’s rules and establish accountability; there must be consequences for not actively following the official policy.
If you find yourself facing a significant security incident, your response can determine the level of scrutiny you’ll receive from customers and regulatory authorities. Organizations are getting better at incident identification and analysis, but we continue to see evidence in the press that many still struggle with incident response. In the new NYDFS lawsuit, exposure of sensitive information was detected, but there wasn’t a well-honed action plan.
It’s crucial that security teams establish a comprehensive incident and breach response plan that defines what constitutes an incident (thus establishing authority and accountability for action) and identifies business and legal stakeholders for escalation actions. Components of the plan should include:
NOTE: The NYDFS establishes two scenarios under which covered entities need to report cybersecurity events (notice the regulation not say “confirmed breach”):
An organization’s response to incidents should hinge on the assessment of severity, which should be based on key facts gathered and analyzed by the incident response team. Examples of key inputs to severity analysis include:
The incident commander and other key personnel should periodically re-evaluate all elements of the incident response plan to ensure the organization’s response is assigned the appropriate resources and urgency as well as to ensure that appropriate communications tactics are in place.
As the ancient Greek poet Archilochus wrote, “We don't rise to the level of our expectations; we fall to the level of our training.” Having a plan in place establishing how to respond to security events helps an organization remain in control in the event of an incident, which will in turn assures higher levels of customer trust, minimizes business impacts and provide the best possible outcome of a regulatory investigation.
November 13, 2019
Rather than building programs for individual jurisdictions, organizations should develop holistic programs that address the overarching commonalities.
August 20, 2019
Most major organizations are already fully compliant with GDPR. However, some may just now be launching into European markets, and others may have....
September 09, 2019
With mounting regulations, connectivity, and an explosion in data, privacy management programs are critical components of an overall security program....
Let us know what you need, and we will have an Optiv professional contact you shortly.