Staying Ahead of the Law: Complying With Threat Intelligence Regulations
By Frederic Wolens on May 2, 2018
Editor’s Note: This blog post is distributed for marketing purposes only, and should not be considered legal advice or a substitute for qualified legal counsel.
We are now only about a month away from the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR), which some have called the “most important change in data privacy regulation in the last 20 years.” Not only does the GDPR have major implications for data privacy, but also several provisions (e.g., Article 32 — Security of Processing) covering data security, specifically. These clauses place various cybersecurity obligations on companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Of particular note for either prospective or current consumers of threat intelligence is Article 32 (1)(d), which is the obligation for companies to implement processes for “evaluating the effectiveness … [of] the security of the processing.” As Recorded Future has previously highlighted, threat intelligence can provide immense value by helping organizations identify breaches much more quickly, thereby providing an opportunity to respond to and evaluate their security posture.
Given the imminent enforcement of the GDPR, we thought it may be an excellent opportunity to highlight some of the laws, regulations, and guidelines that cover cybersecurity and threat intelligence. Previously, a comprehensive cybersecurity program was just good business. Today, it may actually be the law for many organizations, and the list of covered industries continues to grow. As one can imagine, these obligations vary widely from country to country, and from sector to sector, but we figured we could point to some of the regulations with the highest visibility.
We have singled out provisions related to threat intelligence to demonstrate the increasing importance of this cybersecurity functionality.
Last year, we posted “6 Corporate Security Risks Where Threat Intelligence Can Help,” and mentioned the upcoming New York State Department of Financial Services Cybersecurity Regulations (23 NYCRR Part 500). Now, organizations are subject to Part 500, and we want to remind all covered entities to ensure they are in compliance. Given Recorded Future’s focus on threat intelligence, we want to point out §500.02(b)(1), specifically, the mandate to “identify and assess … external cybersecurity risks that may threaten [your organization’s] security.”
Beyond the NY-DFS statute, financial services remain one of most heavily regulated industries in terms of cybersecurity. Not only have individual states and the federal government come out in favor of increased legislation, but a whole host of industry groups have also promulgated a series of guidelines covering cybersecurity. As is normally the case, one should expect many of the current voluntary advisories to find their way into new regulations in the near future.
- Gramm-Leach-Bliley Act: The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information … [companies should] consider … reading relevant industry publications for news about emerging threats.
- IOSCO Guidance on Cyber Resilience: 8.2.2 — Financial market infrastructures should establish a process to gather and analyze relevant cyber threat information.
- FINRA Report on Cybersecurity Practices: Principles and Effective Practices — The incorporation of current threat intelligence to identify the most common incident types and attack vectors.
- FFIEC Cybersecurity Assessment Guidance: Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities so they may evaluate risk and respond accordingly.
- New York Department of Financial Services Cybersecurity Regulations: See §500.02(b)(1) above.
- OSFI Cyber Security Self-Assessment Guidance (Canada): 1.3 Organization and Resources — The [financial institution] has a centrally managed group of cybersecurity specialists that is responsible for threat intelligence, threat management, and incident response.
- CBEST Intelligence-Led Testing Report (UK): 6.2 — An approach based on threat intelligence complements the existing preoccupation with vulnerability and asset-centric security.
Outside of financial services, there are a range of other industries where threat intelligence has become increasingly front and center. Healthcare and insurance are two industries that are on the vanguard of cybersecurity due to the sensitivities of personal information involved, but advisories cover everything from nuclear fuel to SMBs.
In the United States, HIPAA is the overarching regulation that governs data privacy and security in the healthcare sector. Beyond the Security Rule in HIPAA itself, the Department of Health and Human Services also issues cybersecurity guidelines, as does HITRUST the privately run collective composed of the nation’s largest healthcare providers.
- Health Insurance Portability and Accountability Act (HIPAA): The Security Rule requires covered entities to identify and protect against reasonably anticipated threats to the security or integrity of the information.
- HITRUST CSF Framework: The Health Information Trust Alliance already provides a CyberThreat XChange, and encourages members to “detect and [respond] to cyber threats targeted at the healthcare industry.”
- US HHS Cybersecurity Guidance.
While there are no regulations that directly regulate data security in the insurance industry, the National Association of Insurance Commissioners has released its own Cybersecurity Guidance. The NAIC is the U.S. standard-setting organization for the insurance industry that is governed by the chief insurance regulators from the 56 covered jurisdictions. In the face of the more than 2.6 billion data records that were compromised last year, one should expect that these non-binding guidelines will eventually work their way into legislation.
- NAIC Effective Cybersecurity Guidance: Principle 11 — It is essential for insurers … to stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
Beyond the heavily regulated world of healthcare and financial services, there are a host of other industries (e.g., nuclear power) where threat intelligence is either required or recommended to fulfill cybersecurity legislation. Furthermore, the U.S. NIST Cybersecurity Framework, the CERT Resilience Framework, and the United Kingdom’s NCSC Threat Intelligence Guidance all recommend incorporating threat intelligence as part of a comprehensive cybersecurity program.
- NRC Cybersecurity for Nuclear Fuel Facilities: 2.1 — As required by 10 CFR 73.53(b), the licensee must detect a cyberattack capable of causing a consequence of concern. To meet this requirement, the licensee should create a robust detection process that includes … appropriate gathering of threat intelligence.
- CERT Intelligence Preparation for Operational Resilience Framework: 1.4.6 — Operationalizing Threat Intelligence … By seamlessly integrating their [threat] intelligence analysis processes
with these frameworks, organizations can achieve awareness, agility, and effectiveness.
- U.S. NIST Cybersecurity Framework: 3.2 — Establishing a Cybersecurity Program — It is important that critical infrastructure organizations seek to incorporate emergent risks and outside threat data to facilitate a robust understanding of the likelihood and impact of cybersecurity events.
- EU General Data Protection Regulation (EU): Article 32 — Security of Processing 1(d) — A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- NCSC Threat Intelligence Guidance (UK): The products of threat intelligence can be genuinely useful to a business, providing real benefits at all levels, from on-the-ground defenders to the board.
Update on August 2, 2018: On June 1, Alabama became the final U.S. state to implement a state-wide data breach law. Notably, the Alabama Data Breach Notification Act of 2018, beyond the regular mandates regarding disclosures of serious data breaches, also requires covered entities to “implement and maintain reasonable security measures to protect sensitive [data].” This includes measures that aid in Section 3(b)(2) “identification of internal and external risks of a breach,” and as stated above, threat intelligence can provide immense value in fulfilling this requirement.