New cyber security regulations require banks, insurance and other financial services institutions to have a cyber security program aimed at protecting consumers.

The progress of technology has always outpaced public policy.  Steam locomotives had been delivering goods and passengers on British railroads for nearly two decades before Parliament passed the first set of railroad acts.  The US Congress didn’t pass laws until after the Civil War.

More recently, the state of California enacted a mandatory consumer notice of when personal data is breached back in 2002.  The European Union passed a breach law in 2009 – Congress has yet to set a US standard.  That leaves the citizens of Alabama and South Dakota to fend for themselves as their legislators have yet to enact any breach law at a time when cyberattacks are at an all time high.

Crafting laws and regulations that attempt to address technology driven issues are notoriously difficult to write.  Since the advent of Moore’s Law1 and the Kami Corollary2, technology moves at a pace that even the most devoted of policy wonks struggle to keep up with the pace of change.

Yet, events every so often occur that cry out for government action to help put some boundaries around ever advancing technology.  According to the non-profit Identity Theft Resource Center, there have been more than 7,100 publicly disclosed breaches in the US alone since 2005.  The rate of reported breaches grew 40% year over year in 2016.

And cyberattacks are not just a large enterprise issue.  According to the National Cybersecurity Alliance and US Senator John Thunder (R-SD), 60% of small business are forced to close their doors after a cyber breach.

The rate and severity of breaches continues to increase at the same time we’re seeing more and more complex software solutions enter the marketplace.  Virtually every organization from the corner drug store to the largest global business relies on web-enabled applications.  Some are public and some serve only internal processes, but they all have one thing in common – software flaws that malicious hackers can exploit.

It’s against this background that New York State regulators have enacted new policies and two bipartisan groups of US Senators have proposed legislation to help protect consumers and the businesses that serve them.  Considered to be a model for other states to follow, new regs  from the New York Department of Financial Services require banks, insurance companies and other financial services institutions regulated by the department to have a cybersecurity program aimed at protecting consumers.

The regulations require written policies and procedures, the appointment of a Chief Information Security Officer, and the reporting to the Department within 72 hours of any attacks that could harm the firm’s normal operations.

In Washington, DC, Senators Mark Warner (D-VA), Jack Reed (D-RI) and Susan Collins (R-ME) have joined together to introduce a bill to encourage public companies to appoint cybersecurity experts to their Board of Directors. A separate group of Senators – John Thune (R-SD), Brian Schatz (D-HI), James Risch (R-ID), Maria Cantwell (D-WA), and Bill Nelson (D-FL) – have introduced legislation to increase the support available to small businesses to help respond to cyber threats.

It’s a given that traditional approaches to cybersecurity are failing to address the complex nature of today’s threats.  New approaches and new technologies are required – like Waratek’s Application Security Platform – that offer instant protection from known and unknown vulnerabilities at the application layer without the negative side effects of heuristic-based approaches:  high-false positives, negative performance impact, labor intensive tuning and costly code changes.