Answers to questions about New York’s cybersecurity regulations

Unprecedented banking, insurance protection requirements seen as model for feds, other states

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By now, most in the finance and insur­ance sec­tors have been intro­duced to the New York Depart­ment of Finan­cial Ser­vices’ (NYDFS) immi­nent cyber­se­cu­ri­ty reg­u­la­tions. Rather than prof­fer­ing a con­struct for anoth­er “vol­un­tary” frame­work to accu­rate­ly gauge cyber­se­cu­ri­ty risk, New York bold­ly sets forth a set of min­i­mum stan­dards by which to judge the thor­ough­ness of each entity’s infor­ma­tion secu­ri­ty program.

Relat­ed video: New York’s cyber­se­cu­ri­ty rules sig­nal sea change

ed-note_layer-8-security_steve-fiergangWhile there are costs asso­ci­at­ed with adher­ing to these reg­u­la­tions that will be imposed upon com­pa­nies nation­wide, this is a sig­nif­i­cant devel­op­ment for the Unit­ed States from the per­spec­tive of both cyber and finan­cial security.

This has been a hot top­ic of con­ver­sa­tion, and many con­cerns have arisen. The fol­low­ing are fre­quent­ly asked ques­tions about the NYDFS reg­u­la­tions, with Lay­er 8 Secu­ri­ty’s respons­es:

Q: How do the recent New York Depart­ment of Finan­cial Ser­vices’ reg­u­la­tions impact com­pa­nies that have clients in New York?

A: This ques­tion aris­es as a crossover from indi­vid­ual state breach noti­fi­ca­tion laws, which often require com­pa­nies to noti­fy when­ev­er any of its cus­tomers resides in its state. In this case, the reg­u­la­tions speak specif­i­cal­ly to cov­ered enti­ties, not customers.

Q: How do the reg­u­la­tions affect an enti­ty legal­ly based out of New York state, but which has a satel­lite office within?

A: The reg­u­la­tions apply to “any Per­son oper­at­ing or required to oper­ate under a license, reg­is­tra­tion, char­ter, cer­tifi­cate, per­mit, accred­i­ta­tion or sim­i­lar autho­riza­tion under the bank­ing law, the insur­ance law or the finan­cial ser­vices law.” The def­i­n­i­tion of a cov­ered enti­ty is respon­sive. If the satel­lite office is cur­rent­ly required to oper­ate under the autho­riza­tion of the NYSDFS, then the reg­u­la­tions apply.

Q: Are relat­ed com­pa­nies required to devel­op and imple­ment sep­a­rate cyber­se­cu­ri­ty programs?

A: Regard­ing affil­i­at­ed or sis­ter com­pa­nies, the reg­u­la­tions make clear that any affil­i­ate may adopt a cyber­se­cu­ri­ty pro­gram main­tained by its relat­ed cov­ered enti­ty, so long as the cyber­se­cu­ri­ty pro­gram cov­ers the affiliate’s infor­ma­tion sys­tems and non­pub­lic infor­ma­tion and meets the require­ments of the regulations.

Q: Will this catch on in oth­er states, and what are the impli­ca­tions asso­ci­at­ed with such a trend?

A: New York is the country’s finan­cial cen­ter, and as such, it is log­i­cal that it takes the lead. While the future has yet to be writ­ten, this is an excel­lent jump­ing off point for fed­er­al review. The most log­i­cal and coor­di­nat­ed approach would require fed­er­al reg­u­la­tion. In its absence, our hope is that NYSDFS reg­u­la­tions become a mod­el that oth­er states repli­cate. The worst-case sce­nario is one where a patch­work of poor­ly matched reg­u­la­tions and guid­ance leave com­pa­nies in the lurch as to how to move forward.

Q: How does this reg­u­la­tion affect my business?

A: Every com­pa­ny oper­ates with­in an ecos­phere of inter­re­lat­ed tech­nol­o­gy depen­dence and connection.

More and more, look­ing up and down the sup­ply chain, all com­pa­nies’ IT sys­tems and archi­tec­ture are con­nect­ed. A breach any­where with­in the chain can imme­di­ate­ly cor­rupt a third-par­ty provider, sup­pli­er or cus­tomer. True resilience can only be achieved when every com­pa­ny, large and small, imple­ments and main­tains a per­son­al­ly tai­lored cyber­se­cu­ri­ty program.