New York toughens cyber security rules

25 April 2017

JLT Specialty has published the latest edition of their monthly cyber newsletter, Cyber Decoder. This issue contains the following articles:

New York enforces tough cyber security rules: From 1 March 2017, the New York State Department of Financial Services (NYSDFS) has introduced new, tougher cyber security rules (23 NYCRR 500) for banks and insurance companies regulated by them. Although the rules are risk based as well as prescriptive, their prescriptive nature has drawn criticism. This article discusses the new rules from the NYSDFS and other cyber security requirements currently in place in the US and the UK along with the pitfalls for having too many prescriptive regulations. 

NCSC warns on the limits of security questions: Security questions are widely used as a form of authentication, especially as a backup if you forget your password. However, the UK National Cyber Security Centre (NCSC) recently advised organisations to carefully consider whether security questions offer enough protection. Analysis by Microsoft has found that personal questions of the type used by major web services like AOL and Google can be easily guessed. Researchers have even built algorithms that can deduce personal passwords by using leaked information available to hackers. Moreover, some 80-90% of data breaches involve the theft of security credentials which seems to suggest that passwords are not all that effective. This article details the NCSC's concerns regarding password security and authentication and some of the alternative solutions that could eventually make passwords history. 

Governments lead by example on cyber security: This article contains information about one of the initiatives of the UK government – the National Cyber Security Centre (NCSC) – to strengthen cyber security and explores the role governments should play to encourage cyber security and cyber insurance.

The problem of cyber-warfare: Cyber-warfare has become a hot topic in recent months, with allegations of Russian interference in the US election and leaks revealing the actions of the US intelligence community. This article details some instances of cyber attacks by nation states and the problems associated with the involvement of nations in cyber attacks.

Amazon Web Services outage: The recent Amazon Web Services’ (AWS) outage revealed the dependency that many organisations have on AWS for storage, backups or just delivering web content. This short article provides information about the outage, highlighting the lack of preparedness of many internet service providers for such disasters despite heavy reliance on cloud providers and the importance of having appropriate cover for outages at third-party service providers. 

This issue of the newsletter contains information about the difference between information technology (IT) and operational technology (OT) and details the reasons why OT is becoming more and more important.

The newsletter also includes learnings and details of discussion from the Advisen Cyber Risks Insight Conference held in London on 7 March 2017 which was co-chaired by Sarah Stephens, Head of JLT’s Cyber, Content and New Technology Risks team.

You can download the full newsletter by clicking on the article titles above or by visiting the JLT Specialty Limited website