According to a report by Reuters, New York’s Financial Services Department will undertake “regular” reviews of the security posture at insurers. In the past, the end game of data breaches was fraudulent credit card purchases, but more recently, we are seeing them result in long-term identity theft. As a result, the state of New York is looking to protect its citizens by emphasizing the importance of cybersecurity.
This is an interesting development because, until now, intense scrutiny on an enterprise’s security posture was reserved for post-incident. Now, a government agency is going to question an entire industry’s cybersecurity readiness in order to help prevent breaches from occurring.
With New York taking this bold step, it is only a matter of time before other states follow its lead. Also, while the agency is focusing on insurers for now, how long before it starts looking at other enterprises that collect and store personal information? For example, retailers, healthcare organizations or even financial institutions?
Of course, preventing breaches has always been the goal of security teams and the CISOs who lead them. But with 2014 being called the “Year of the Hack” by some media outlets, they have their work cut out for them. As enterprises continue to produce more applications in order to drive their businesses, their inability to scale current application security programs means only business-critical applications are audited for security. This leaves a significant number of web and mobile applications vulnerable, creating long-term security threats.
But it isn’t just the applications and code produced by internal developers that companies need to secure. Enterprises must also secure the code their developers borrow and purchase from third-party and open source libraries, as well as the software the company purchases from independent software vendors. These are the areas that are often overlooked and, thus, become the path of least resistance for a cybercriminal to penetrate an enterprise.
With more scrutiny on insurance companies, I wonder if we will see a change in how CISOs at these organizations approach security, and how long before other states follow suit?
What do you think? Will regular reviews of insurers’ security postures help evolve security strategies? Does your organization include component analysis and third-party security as part of its security strategy?
Learn how to reduce risk from vulnerable third-party and open source components: https://info.veracode.com/webinar-sans-whats-in-your-software.html