Digital Edge is proud to announce that we successfully assisted and obtained an OSPAR certification for one of our FinTech clients.
What is OSPAR? OSPAR (Outsourced Service Providers Audit Report) is a report that can only be issued by one out of 5 accredited auditors. It is a critical pre-requisite for the 3rd party vendors, to demonstrate their adherence to stringent guidelines & best practices if they wish to conduct business in Singapore.
Usually my blog posts are focused on the arguably mundane practices of cybersecurity governance. Today, though, I would like to get into something a bit spicier. Right now, as I write this, Russia has about 90,000 troops amassed at the Ukrainian border, and China has been harassing Taiwanese airspace for months. Some kind of aggressive action, possibly cyber-related, seems very possibly forthcoming; and with it, likely a response in kind.
It’s a known fact that Russia, China, North Korea, Iran and others engage in regular cyber attacks against the other countries including the US. We see this all the time. What I think is unclear to most people are the rules governing the responses to such attacks. Below I discuss a broad overview of how cyber attacks are handled by governments around the world.
First off, you should know that the international law around the rights self defense of a state actor is extremely murky and highly disorganized. Furthermore, different countries disagree on the interpretation of laws that exist. That being said, there are some general rules that are followed by responsible governments.
One regulation we help clients with is the New York State DFS 23 NYCRR Part 500 compliance.
Who does DFS regulate?
According to its website: “DFS is the primary regulator for all state-licensed and state-chartered banks, credit unions, and mortgage bankers and brokers. All mortgage loan servicers doing business in New York State must be registered or licensed by DFS. The Department also oversees all of the insurance companies operating in New York, licenses all of the budget planners, finance agencies, check cashers, money transmitters, and virtual currency businesses operating in New York.”
The requirements of part 500 are generally nothing out of the ordinary, or rather, nothing more than what is already considered good practice in the cybersecurity world.
POSITION ON RISK
This is the big picture. All I see today is ISO-like risks analyses that are initially made based on industrial risks. The mentality should be changed, and I don't know if it is too big of a shift from the current approach.