Buying In: Cybersecurity Risk and Due Diligence

Written by Kevin Hyde and Jack Warnock, Layer 8 Security

Just as cyber breaches are a new normal in today’s business community, cyber due diligence is upon us, and there is an efficient way to act. It affects the entire ecosystem surrounding any merger, acquisition, investment or leadership change. Tap the experts around you to start thinking about these questions, and take a proactive approach, every time.

Click here to read more.

The New York State Department of Financial Services (“NYS DFS”) Cybersecurity Regulations: We are all connected.

Written by Steve Fiergang, Esq., General Counsel, Layer 8 Security

Welcome to the future of cybersecurity: not only in the financial services, banking, and insurance sectors but for all of their third-party service providers (read: You); cyber regulations are in effect.

By now, most of you in the worlds of finance and insurance have been introduced to the recent NYS DFS Regulations. As you will see, these regulations extend far beyond state boundaries and lines of business.   Rather than proffering a construct for another “voluntary” framework to accurately gauge cybersecurity risk, New York boldly puts forth a set of minimum standards by which to judge the thoroughness of each entity’s information security program.  While there are potentially high costs associated with adhering to these regulations that will be imposed upon companies both locally and nation-wide, we believe this is a significant advancement for our country from the perspective of both cyber and financial security.

With the rollout of these regulations scheduled to occur in less than 180 days, here are the five questions (and answers) that should be on the minds of all businesses in the Philadelphia region regardless of whether you work in banking, financial industry or insurance:

Q:  How does this regulation affect my business?

A.:  Every company operates within an ecosphere of interrelated technology dependence and connection.  A significant component of the regulations appear in Section 500.11 Third Party Service Provider Security Policy.  More and more, looking up and down the supply chain, all companies’ IT systems and architecture are connected.  A breach anywhere within the chain can immediately corrupt a third-party provider, supplier or customer.  True resilience can only be achieved when every company, large and small, implements and maintains a personally tailored cybersecurity program.

  1. How do the recent NYS DFS regulations impact companies that have clients in New York?
  2. This question arises as a crossover from individual State Breach Notification Laws, which often require companies to notify those who have been breached whenever any customer of a company resides in its State.  In this case, the regulations speak specifically to covered entities, not customers.

Q:  How do these regulations affect an entity that is domiciled out of NY State but has a satellite office within?

A:  The Regulations apply to “any Person operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law”.  The definition of a covered entity is responsive; if the satellite office is currently required to operate under the authorization of the NYS DFS, then the regulations apply.

Q.:  Are related companies required to develop and implement separate cybersecurity programs?

A.:  Regarding affiliated or sister companies, the regulations make clear that any affiliate may adopt a cybersecurity program maintained by its related covered entity, so long as the cybersecurity program covers the affiliate’s information systems and nonpublic information and meets the requirements of the regulations.

Q: Will other states echo these regulations and if so, what are the implications associated with such a trend?

A:  New York is the country’s financial center, and as such, it is logical that they take the lead.  While the future has yet to be written, this is an excellent jumping off point for Federal review.  The most logical and coordinated approach would require Federal regulation.  In its absence, our hope is that NYS DFS Regulations become a model that other states replicate.  The worst-case scenario is one where a patchwork of poorly matched regulations and guidance from state-to-state leave companies in the lurch as to how best to move forward.


Major Exploit Still Affecting Philadelphia Companies

Layer 8 Security has an on-going relationship with local and federal law enforcement that allows us to know in advance when certain threats will be prevalent.  We receive notices and bulletins from the FBI and other intelligence sources on a consistent basis. In some cases, dissemination is limited; however, in this case a wide dissemination is allowed. We are glad to send this alert to keep you and your company safe.

Recently, several Philadelphia businesses have fallen victim to the OpenSSL cybersecurity exploit known as Heartbleed, which created a news frenzy in 2014.  We’re extremely surprised that there are still companies that haven’t patched or updated their assets to defend themselves against this exploit.

According to our sources, there are nearly 200,000 servers and Internet-connected devices running out-dated OpenSSL software still vulnerable to Heartbleed.  The initial analysis of the Heartbleed vulnerability found over 600,000 devices which led to one of the largest media blitzes to fix a technology bug.  The bug can be exploited to reveal chuncks of memory to any client that connects to the server.

What this means for you:

While you likely have heard about Heartbleed years ago, the threat still exists.  A “bad guy” could use the Heartbleed exploit to remotely execute malicious code on your servers which results in a compromise of sensitive data.  Organizations need to verify that their assets (Cloud servers, data, backup systems, etc.) do not run a vulnerable version of OpenSSL, and if they do, patch them immediately.  Also, this should act as a good reminder to review policies and procedures on asset maintenance.

If you have questions regarding these alerts, please contact us at or 800.530.9121