To combat cybercrimes targeting the financial industry, the Federal Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) issued in November 2021 the Computer-Security Incident Notification Final Rule. It must notify the FDIC within 36 hours after determining a cybersecurity incident.
With this ruling, financial organizations must implement intelligence-rich cybersecurity policies that are able to report on the full spectrum of security events faster and more thoroughly. Why? Because the new cyber incident reporting rules turn up the heat on U.S. banks to up their game in quantifying and qualifying a compelling “security incident” or breach.
As I recently shared in CPO Magazine, while the window of opportunity to notify the FDIC was reduced from 72 to 36 hours, banks still have flexibility in the broadness of notification and analysis time on determination of an incident. This shortened time period can also drive positive trends in how businesses manage and analyze their digital threat surface and in reducing the noise and intelligence associated with profiling bad actors.
The shortened window to identify an incident will no doubt speed up the identification of an attack before it can proliferate across the enterprise and its integrated partners. The new rule can also encourage banks to invest more time and resources in how they measure their business process and use of data, and help them discover security gaps that open their critical business assets to an attack or breach.
I am interested to see how this change in banks’ cybersecurity processes and their adoption of new technology solutions to identify security gaps faster may impact other industries and regulations. For instance, an industry-wide theme that can benefit from this new reduced notification rule is the trend towards proactive vulnerability and gap analysis.
The Need to Accelerate Automated Gap Prioritization
Accelerated prioritization of security gaps can play a major role in identifying potential security incidents faster – before a targeted attack happens. Many cybersecurity regulations and compliance standards, such as the PCI DSS, have injected vulnerability prioritization into their requirements as a necessary practice to remain compliant and secure, and move security assessment further towards a risk-based method. The easiest way to achieve and fulfill that requirement is to proactively understand the enterprise’s assets to the point where the security hot spots or gaps quickly stand out and are spotted within the course of regular proactive analysis. The key involves moving away from manual periodic scanning to a continuous inspection of gaps furnished with extensive enrichment data that supports the grading of gaps without much dwell time. If that theme change and risk awareness is driven by the need to demonstrate alignment with the smaller 36-hour window, then it could have a positive effect on driving needed change across the market.
To that end, Cybersixgill can help organizations meet this requirement head on and enable businesses to accelerate the implementation of an automated gap prioritization strategy to achieve continuous compliance with reduced analysis time. Cybersixgill’s new DVE Intelligence solution natively provides automatic enrichment data that will accelerate both vulnerability analysis and vulnerability ranking. The DVE solution helps companies pinpoint the earliest indicators of risk, and identify security gaps while directly meeting the many requirements that call for proactive vulnerability prioritization and continuous risk-based analysis. That analysis automatically aligns security vulnerabilities with enhanced intelligence from trusted and proven sources to identify the true risk behind any vulnerability in real time. This process will help overworked security professionals achieve a continuous risk-based view of their security gaps, measure and reach their desired enterprise security posture faster, and will vastly cut down on the time needed to properly risk rank security vulnerabilities with an entire repository of enforcement data to support and prove their analysis for auditors, regulators, and company executives. The end result is one that meets the new and emerging compliance requirements and accelerates the company’s security objectives.
Want to learn how Cybersixgill can help you assess, measure, and prioritize compliance posture and address emerging threats? Contact us to discuss your threat intelligence needs and goals.