As major data breaches continue to expose customers’ sensitive data and cause major monetary and reputation damage to organizations, regulators are taking notice. Two recent major regulations – the EU General Data Protection Regulation (EU GDPR) and NY State Department of Financial Services (NY DFS) Cybersecurity Regulations – are unprecedented in their scope and depth. Considering the prominence and influence of these two bodies, these regulations are most certainly setting a bar and should be considered a taste of what’s to come in terms of cybersecurity regulations. In addition, both regulations affect application security, and both point to AppSec regulation trends we can expect to see more of going forward. These trends include:
To this point, cybersecurity regulations tended to address the type of initiatives that should be undertaken in a general way. These two regulations are much more prescriptive in their approach, and not only indicate what organizations should do, but how. For instance, the NY DFS regulations don’t just stipulate that organizations assess the security of third-party providers, but require “representations and warranties”: Section 500.11 requires the establishment of a third-party information security policy, which includes “relevant guidelines for due diligence and/or contractual protections related to Third Party Service Providers including to the extent applicable guidelines addressing: … (4) representations and warranties addressing the Third Party Service Provider's cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.”
And EU GDPR Article 33 gets very specific about the notification of a data breach: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
As breaches continue to originate at the app layer, regulators seem to be getting the message that only considering security at the end of the lifecycle is not adequate. Both these regulations require security measures throughout the application lifecycle – from the coding phase, through to production. Article 25 of the EU GDPR requires “data protection by design and by default” and mandates that an organization include security considerations in the design phase of systems and that data processing always defaults to the most privacy-focused method. It also includes guidelines around monitoring applications in production and notifying regulators of any breaches.
The NY DFS regulations span the application lifecycle from coding to production with both a requirement for secure development practices – “Each Covered Entity’s cybersecurity program shall, at a minimum, include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity” – and for applications in production, with a requirement for “audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity” (EU GDPR Section 500.06).
Acknowledging the increasing number of breaches perpetrated through third-party applications, both regulations include mandates around the use of software from external sources.
Section 500.11 of the NY DFS requires that organizations address: “(1) the identification and risk assessment of Third Party Service Providers; (2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.”
Article 28 of the EU GDPR states that: "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
These regulations are unique in the scope of data they require organizations to protect. Neither regulation specifies a particular type of data, such as health or financial data, but require protection of any data that could possibly identify personal information. The NY DFS regulations require protection of any “non-public data.” The GDPR’s definition of the “personal data” that must be protected includes any information that can be used to directly or indirectly identify a person. This covers all sensitive data, including fingerprints.
Finally, perhaps most noteworthy about these new regulations is the EU GDPR’s unprecedented cost for non-compliance – “the greater of 4% of global turnover [revenue] or 20 million Euro.” This is certainly a sign that regulators will increasingly have little tolerance for non-compliance, and that organizations should take these regulations seriously.
Get best practices for complying with emerging cybersecurity regulations in the next blog post in this series.
Find out more about these regulations and how CA Veracode can help you comply with them: