Data Sheet—Saturday, September 24, 2016
You knew this was coming. After a steady series of hacking debacles, regulators are stepping in and ordering companies to tighten up. Soon companies in the financial sector — banks, brokerages, and insurance firms — will have to comply with cybersecurity rules that include encrypting sensitive information and appointing a security chief.
The rules come from New York’s Department of Financial Services, and are scheduled to go into effect in 2018. While they apply only to New York, they will have an outsize impact given the state’s central role in the financial sector and influence on other state and federal government entities to follow suit.
While agencies have offered guidelines, this is the first time regulators have introduced a real stick to make companies clean up their cyber-game. According to Judy Selby, a managing director with the consultancy firm BDO, the rules include enforcement provisions and will put senior executives on the line by requiring them to sign off on cyber compliance.
Selby says the rules won’t be a burden for big banks since many of them have already been heading down this path on their own accord. But it could be a challenge for smaller companies that are less prepared for cyber-compliance, and she says it would also be a heavy lift for the regulators too. Overall, Selby thinks the effort is worth it.
“I think it was necessary for them to do something because the stakes are so high. It’s an economic threat and a national security issue,” she said.
Selby’s probably right — though lets also hope the government doesn’t forget the carrot part of the equation. At least one congressman is thinking this way: Rep. Kevin Perlmutter (D-Colo) has a bill to give a 15% tax credit to companies that buy cyber-insurance. Good idea.
Finally, you’ve probably heard about the Yahoo hack that disclosed 500 million users accounts. What a mess. Here’s a Q&A about what we know, plus a look at the legal liability Yahoo faces for what is shaping up to be the biggest cyber breach to date. The New York cyber regulations wouldn’t apply to a company like Yahoo, which isn’t a financial firm, but perhaps they should.
Thanks for reading — and if you haven’t done so, go change the password on those old Yahoo email and fantasy sports accounts.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Hackers KO Krebs: Journalist Brian Krebs is widely respected for his security knowledge. He is less popular with hackers, who appear responsible for a massive denial of service attack that led Akamai to give up hosting Krebs's website. (Business Insider)
Breaking the blockchain? Fin-tech purists are freaking out over a new Accenture offering that lets users "edit" blockchain records that are supposed to be indelible. But realists will see this as simply a helpful way to bring more banks around to blockchain. (Fortune)
Snooping ain't free: Police like to monitor social media to keep tabs on trouble makers, and they're willing to drop some dinero to do so. A report says Denver cops spent $30,000 in May alone for programs to monitor a dozen social media sites. (Daily Dot)
Campaign Op-sec fail: If you're going to do sketchy stuff with federal records, try to not ask the online discussion board Reddit for help. An IT staffer for Hillary Clinton is in deep trouble after a bonehead mistake let the Internet figure out he was tied to a cover-up plan. (Fortune)
Can the feds put malware on your machine? An FBI sting that nailed hundreds of child porn creeps raises hard questions about when the feds should be allowed to install malware on suspects computers. (Electronic Frontier Foundation)
In any case, this tweet explains why hacking has definitely jumped the shark.
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Robert takes a closer look at the privacy fuss over Google's new messaging app, Allo:
It means that standard conversations on Allo are read, not only by users and their recipients, but by Google’s virtual assistant. This choice, in privacy proponents’ view, is unsettling—and it adds a potential point of vulnerability into the design: Google’s servers (as secure as they may be). Read more on Fortune.com
Big Security Bug Affects Hundred of Thousands of Cisco Devices by Jonathan Vanian
3 Security Breaches That Freaked Out U.S. Companies by Jeff John Roberts
Oracle Snaps Up This Startup to Boost Cloud Security by Barb Darrow
ONE MORE THING
Imagine hackers taking down banks, media sites and all government computers. That's not a scene from the future - it's actually what happened to Estonia in 2007 when Russia punished its small neighbor with devastating cyber-attacks. This look-back is worth reading as an early "lesson in the age of Cyberwar." (Passcode)