Haz que las cosas sucedan
CIBERSEGURIDAD
Regulación de la Ciberseguridad
La violación de datos y la ciberseguridad son parte del cumplimiento corporativo global con sus numerosas leyes y regulaciones mundiales sobre programas contra el soborno, la corrupción y el terrorismo, que utilizan los mismos principios de responsabilidad.
El entorno legal actual no presenta una ley federal cibernética general, y las dos principales regulaciones federales tradicionales de ciberseguridad relacionadas con el sector financiero solo requieren un nivel “razonable” de seguridad, y el lenguaje vago de estas regulaciones deja mucho espacio para la interpretación.
La Ley Gramm-Leach-Bliley (GLBA) de 1999 se aprobó para modernizar el sector financiero, reconociendo que las fusiones entre diferentes sectores de la industria financiera darían como resultado instituciones consolidadas con un acceso sin precedentes a los datos privados de los consumidores.
La Ley de Seguridad Nacional de 2002, que incluía la Ley de Gestión de Seguridad de la Información Federal (FISMA), exige que las instituciones financieras protejan sus sistemas e información.
Por ejemplo, la FISMA exige el desarrollo e implementación de políticas, principios, estándares y directrices obligatorios sobre seguridad de la información. Estas regulaciones no abarcan las industrias relacionadas con la informática, como los proveedores de servicios de internet y las empresas de software.
In a more recent effort, several new cyber security laws, as well as amending the older ones, were introduced for a better security ecosystem. A few of them are Cybersecurity Information Sharing Act (CISA), enhancing sharing of information about cybersecurity threats, and Cybersecurity Act of 2015, providing voluntary public-private partnership to improve cybersecurity research and development.
The Department of Commerce’s National Institute of Standards and Technology (NIST) has provided a voluntary risk-based Cybersecurity Framework, a set of industry standards, best practices, and guidelines that have been developed by organizations like NIST and the International Standardization Organization (ISO).
The Framework terms this compilation as the “Core,” composed of five concurrent functions— Identify, Protect, Detect, Respond, and Recover—a lifecycle of an organization’s management of cybersecurity risk.
Each function is divided into categories correlative to programmatic needs and particular actions, each category is broken down into subcategories that point to informative support, citing specific sections of standards and guidelines.
For most geeks in finance, the NIST framework might be too basic, where banks’ own programs are far more ingenious, but it still makes sense for a legal team in a merger to compare notes with these guidelines, for a sheer comfort of assurance that nothing is wanted from their precocious cutting-edge client.
In 2018, California jumped ahead of other states with a bang, catching up and even surpassing the promulgated by the New York Department of Financial Services 23 NYCRR Part 500 (a New York regulation establishing cybersecurity requirements for financial services companies).
The California Consumer Privacy Act of 2018 (CCPA) largely follows the footsteps of the most stringed to date General Data Protection Regulation (GDPR), which affects data of any individual from the European Union.
Like California’s regulation for Internet-of-things (IoT), the CCPA became operative January 1, 2020. To comply with the CCPA, businesses will need to, among other things, disclose to consumers details of their data collection.