Answers to questions about New York’s cybersecurity regulations
Unprecedented banking, insurance protection requirements seen as model for feds, other states
By Steve Fiergang, Special to ThirdCertainty
By now, most in the finance and insurance sectors have been introduced to the New York Department of Financial Services’ (NYDFS) imminent cybersecurity regulations. Rather than proffering a construct for another “voluntary” framework to accurately gauge cybersecurity risk, New York boldly sets forth a set of minimum standards by which to judge the thoroughness of each entity’s information security program.
Related video: New York’s cybersecurity rules signal sea change
While there are costs associated with adhering to these regulations that will be imposed upon companies nationwide, this is a significant development for the United States from the perspective of both cyber and financial security.
This has been a hot topic of conversation, and many concerns have arisen. The following are frequently asked questions about the NYDFS regulations, with Layer 8 Security’s responses:
Q: How do the recent New York Department of Financial Services’ regulations impact companies that have clients in New York?
A: This question arises as a crossover from individual state breach notification laws, which often require companies to notify whenever any of its customers resides in its state. In this case, the regulations speak specifically to covered entities, not customers.
Q: How do the regulations affect an entity legally based out of New York state, but which has a satellite office within?
A: The regulations apply to “any Person operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” The definition of a covered entity is responsive. If the satellite office is currently required to operate under the authorization of the NYSDFS, then the regulations apply.
Q: Are related companies required to develop and implement separate cybersecurity programs?
A: Regarding affiliated or sister companies, the regulations make clear that any affiliate may adopt a cybersecurity program maintained by its related covered entity, so long as the cybersecurity program covers the affiliate’s information systems and nonpublic information and meets the requirements of the regulations.
Q: Will this catch on in other states, and what are the implications associated with such a trend?
A: New York is the country’s financial center, and as such, it is logical that it takes the lead. While the future has yet to be written, this is an excellent jumping off point for federal review. The most logical and coordinated approach would require federal regulation. In its absence, our hope is that NYSDFS regulations become a model that other states replicate. The worst-case scenario is one where a patchwork of poorly matched regulations and guidance leave companies in the lurch as to how to move forward.
Q: How does this regulation affect my business?
A: Every company operates within an ecosphere of interrelated technology dependence and connection.
More and more, looking up and down the supply chain, all companies’ IT systems and architecture are connected. A breach anywhere within the chain can immediately corrupt a third-party provider, supplier or customer. True resilience can only be achieved when every company, large and small, implements and maintains a personally tailored cybersecurity program.