As the cybersecurity industry meets in San Francisco for RSA Conference 2023, DFIN wants to share insights around the latest data security trends that we are watching closely — including regulations, identity and access management (IAM), and Artificial Intelligence (AI). We offer risk mitigation recommendations to help organizations:
- Understand the legal constructs that you operate in and your global regulatory obligations
- Evaluate your identity and access management framework and identity governance efforts
- Be aware of security weaknesses in AI chatbots
Latest Bill to Address Data Threats: RESTRICT Act
Regulations and laws within the United States and worldwide continue to evolve. There are several new bills working their way through Capitol Hill, prompting concern around enforcement, penalties, and obligations. For example, the RESTRICT Act, if passed, will restrict data movement significantly. The bill, otherwise known as Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act, is intended to address technology-based threats, giving the U.S. Department of Commerce power to regulate technology produced by countries that have adversarial relationships with the U.S. The bill outlines the countries with which the U.S. can share data. Data here is defined broadly, not just personal information.
The RESTRICT Act establishes a risk-based process, tailored to the rapidly changing technology and threat environment, by directing the U.S. Department of Commerce to identify and mitigate foreign threats to information and communications technology products and services. This measured, risk-based approach is especially vital in the context of personal communications services, where federal courts have blocked prior efforts to take remedial steps against foreign software vendors as insufficiently tailored and based on insufficiently substantiated risks. At DFIN, we will continue to track the latest regulations to keep you apprised of your legal, compliance obligations.
For the latest on navigating the new mandatory cybersecurity disclosures proposed by the SEC.
For the latest on the Financial Data Transparency Act (FDTA).
The Importance of Managing Identities with a Strong IAM Framework
The compromises to digital identity are growing. In fact, 40 percent of data breaches involved stolen credentials, according to the 2022 Verizon Data Breach Investigation Report. Fortunately, there has also been a remarkable uptick in the emphasis on identity and access management for user accounts, privilege levels of applications, administrative roles, and even customer accounts. I recently attended Gartner’s Identity & Access Management Summit and was happy to take part in so much active discussion around prioritizing identity management. I also observed a significant increase in the volume and maturity of identity management offerings.
Managing identities is critical, which is why IAM is an essential component of an organization’s cybersecurity strategy. It enforces the principle of least privilege (PoLP), so we can be more confident that access to datasets is appropriately limited to what we need, not necessarily what we want. To help strengthen an identity management posture, we recommend that enterprises focus on identity governance administration and privileged access management technologies as well as evaluate their current IAM framework.
On March 21, 2023, two U.S. government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), teamed together to release a guide for all InfoSecurity professionals who manage digital identities: Identity and Access Management Recommended Best Practices Guide for Administrators. This guide defines IAM as “a framework of business processes, policies, and technologies that facilitates the management of digital identities to ensure that users only gain access to data when they have the appropriate credentials.” The guide emphasizes that identity governance provides organizations with better visibility into identities and access privileges, along with better controls to detect and prevent inappropriate access. Better visibility into your data and its access leads to better risk mitigation.
All Things AI Can Lead to All Things
With the rapid evolution, capabilities, integrations, and scale of AI and machine learning (ML), organizations must also remain focused on the possible downsides. While the likes of ChatGPT and various other platforms have emerged in recent months — and are poised to add value and save time — security risks are also emerging. These can include intellectual property losses and automated cyberattacks.
Bad actors can use AI chatbots to write phishing emails or malicious code or impersonate another person, resulting in ransomware, cyberattacks, or fraud. For example, it has been reported that hackers can use ChatGPT to create malware and encryption scripts that could lead to faster cyberattacks. Another possible risk is exposing sensitive data. There have been abuse cases reported whereby sensitive information (patient information, company information, third-party information) has been keyed into ChatGPT, to be used by OpenAI to further develop the product’s capabilities.
Keeping a watchful eye on AI developments is quickly becoming another major area of focus for us at DFIN. And it’s a question for you to ask of your teams: how do we manage AI? Read more here: How Will ChatGPT & AI Impact The Financial Industry?
Risk Mitigation Is in Your Hands
Getting a handle on your organization’s information security risks may seem daunting but improving risk mitigation efforts is within your reach, especially if you have a good understanding of the cybersecurity landscape and take one step at a time. In an environment where new security threats to your data emerge regularly, your security team may never actually rest (!) but you can rest assured that with prioritization and diligence, you can lower your organization’s security risk exposure.
In addition to the latest cybersecurity insights, we’re proud to share that DFIN was honored at RSA Conference 2023 with two Global InfoSec Awards:
- Cutting Edge Security Solutions - ActiveDisclosure
- Publisher's Choice Virtual Directory Services - Venue
Helping organizations streamline processes, establish governance, and demonstrate regulatory compliance — while prioritizing security — is of utmost importance to us at DFIN. Read more here.