Alvin Mills

Alvin Mills
VP of Information, Technology & Security

More regulations in cybersecurity?

Regulations are nothing new to financial organizations. In fact, the consensus is whether it’s a traditional bank or a modern fintech startup, they are among the most heavily regulated businesses already — and have been for some time.

“The time has come for government to mandate that companies vital to U.S. national and economic security meet basic cybersecurity standards, according to a vast majority of cybersecurity experts.” (Cybersecurity 202 Newsletter) 

The Cybersecurity 202 Network is a panel of more than 100 cybersecurity experts who are surveyed on cybersecurity topics. According to a recent survey, 86% of this panel felt more regulations are due. One expert commented that the current state of cybersecurity protections in critical industries is “a clear market failure that will only be remedied with regulation.”

Regulations are nothing new to financial organizations. In fact, the consensus is whether it’s a traditional bank or a modern fintech startup, they are among the most heavily regulated businesses already — and have been for some time. Let’s face it, financial institutions are a lucrative entity for cybercriminals who are after the sensitive information stored and the money. 

Can you be secure & compliant?

I believe so, but first we must understand what the differences are between being secure and being compliant. While compliance focuses on the kind of data handled by a company and what regulatory requirements (frameworks) apply to its protection, security focuses on a set of technical systems and tools, and processes that are put in place to protect and defend the information and technology assets of an organization. To ensure that all compliance requirements are met or at least reviewed, many of our banks do a crosswalk against multiple frameworks. 

But I do feel like we continue to blur the lines between the two. Or possibly we do not understand enough between the two and therefore try to blend the two together. I am living proof that sometimes organizations try to get dual roles or functions out of the same person. But I don’t think this is a cost-savings issue — I just think it is not fully understanding there needs to be a clear delineation between the two roles. Both are necessary and both are vital to the success of an organization, and both must work together. I’ve said this for some time and believe many of my peers in cybersecurity feel the same way. Compliance is not security. In fact, you can be compliant but not secure. 

What’s next?

We’ve already seen some recent moves by the government. Coming on the heels of the Colonial pipeline attack, the Department of Homeland Security (DHS) issued a security directive last month to pipeline companies to report cyber incidents to federal authorities and are close to issuing a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked. Up until now, the agency has offered only voluntary guidelines. 

Which industry is next? Will the same mandatory rules apply across the board to other critical infrastructure? Can the same rules be applied? 

“Any cyber standards that we implement must be harmonious with the other security regulations currently applicable to industry,” said Brian Harrell, a former DHS assistant secretary for infrastructure protection. “Let’s not have six sets of books that regulate one way on Monday, and another way on Tuesday.”

I absolutely agree with that.