By Charlie Moskowitz, Vice President, Policy and Public Sector at SecurityScorecard
Cybercriminals never stop. Often they are supported, tacitly or explicitly, by a nation-state, pitting individual company security executives against the full force of rogue nations.
Companies cannot win this fight if left to defend their infrastructure alone. To secure the nation’s IT infrastructure, regulators must improve collaboration with the private sector and modernize their approach by bringing stronger cybersecurity tools to their oversight efforts.
The cyber threat landscape and companies’ security posture changes daily, if not hourly, yet underfunded regulators do not have the resources to audit every company even once a year. Government agencies still rely on infrequent audits and examinations, limiting the government’s understanding of the true nature of the threat we face and leaving companies highly vulnerable to attack.
Cyber examinations, in other words, are a yearly (if that) solution to an immediate and ever-evolving problem. Regulators should no longer rely on annual paperwork and box-checking exercises that amount to an illusion of security.
New York Opens an Eye to Cybersecurity Oversight
In May 2022, the New York Department of Financial Services (DFS) announced its intention to incorporate cybersecurity ratings into its regulatory process. DFS regards cybersecurity as the top threat facing these companies. This is excellent news for the 3,000 businesses and organizations regulated by DFS – including top banks, insurers and other financial services companies doing business in the heart of America’s financial system.
DFS began looking at real-time ratings as a key component to their work as early as December 2019, as New York implemented new cybersecurity rules while fighting against an exponential increase in cyber attacks.
The use of ratings – grades based on a wide array of data taken from public and open sources – has helped DFS evolve its oversight in several ways. DFS can use the grades to match its limited number of audits to the most vulnerable organizations. Once an examination starts, ratings on 10 different subfactors point to specific security vulnerabilities ranked by criticality so examiners can prioritize their attention.
Ratings provide this defined set of metrics from an outside, impartial source in an easy-to-navigate online interface. In addition to ongoing monitoring, information from the ratings platform can be used to verify data that an audited organization provides.
Most importantly, ratings provide a quantitative assessment of cyber risk that allow DFS and the companies it regulates to speak the same language. Any company can now see the exact same data that DFS is looking at. DFS can also now compare organizations objectively against consistent data points to understand what the risk landscape looks like across the entire financial services industry operating in New York State.
Using cybersecurity ratings as part of a regulatory approach helps re-orient evaluations from a point-in-time paperwork assessment to a collaborative dialogue between company and regulator. It also completes the 360-degree view of an organization’s attack surface: Complementing the purely internal view of a company’s vulnerabilities, security ratings provide a hacker’s-eye view, allowing organizations to think like a threat actor and stay one step ahead. These simple-to-understand grades can show leaders, boards, IT practitioners, and more what the company’s platform looks like to someone trying to break in, using clear language and grounding it in objective third-party, publicly available data.
Taking Cybersecurity Ratings Across 50 States
New York DFS is one of the world’s most important regulators, overseeing companies at the heart of the global financial system, regardless of where they are headquartered. But what does all this mean outside of New York?
New York DFS is leading the way for other regulatory agencies across the country by putting a firm stake for regulatory modernization in the ever-evolving ground of cybersecurity. DFS is pointing to cybersecurity ratings as a must-have for regulators in other states.
Achieving that sort of coverage – across America’s 50 states, 5,000 banks and savings institutions, and more – is a big, beneficial goal. The advantage is safety in numbers. Each state that modernizes oversight makes it easier for other states to patrol their networks. States that do not modernize, however, will continue to rely primarily on the static, infrequently communicated viewpoints of individual, regulated entities to defend against an enemy that requires collective, ongoing action.
We are safer together.
With this in mind, regulatory agencies should modernize their oversight by adding cybersecurity ratings to their box of tools. Otherwise, the nation’s IT infrastructure won’t be safe.
About the Author
Charlie Moskowitz is Vice President, Policy and Public Sector at SecurityScorecard. Charlie brings over 15 years of policy and regulatory experience to SecurityScorecard. Charlie comes to SecurityScorecard after two years at Signal Group, a bipartisan public affairs firm in Washington where he represented a variety of clients on issues ranging from child abuse prevention to cybersecurity to bringing more data science rigor to federal policy. Before that he spent almost a decade on Capitol Hill in policy and investigatory roles, ultimately serving as the Chief Policy Counsel for the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee under Senator Claire McCaskill (D-MO).
Charlie can be reached on LinkedIn https://www.linkedin.com/in/charlie-moskowitz-8905a5b/ and at https://securityscorecard.com