New York financial regulations could signal cybersecurity sea change nationwide

Sweeping proposal would hold banks, others strictly accountable for shielding online data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Banks and oth­er finan­cial ser­vices com­pa­nies wish­ing to do busi­ness in the state of New York will soon have to prove they are using first-class cyber­se­cu­ri­ty poli­cies and prac­tices.

Offi­cials at the New York State Depart­ment of Finan­cial Ser­vices (NYDFS) were so con­cerned that a cat­a­stroph­ic net­work hack in the finan­cial sec­tor could have dire con­se­quences that they took it upon them­selves to draft a far-reach­ing set of manda­to­ry cyber­se­cu­ri­ty require­ments.

Two years in the mak­ing, it is called the Cyber­se­cu­ri­ty Require­ments for Finan­cial Ser­vices Com­pa­nies. And it is set to take effect Jan. 1.

Head­ing off hacks

A com­ment peri­od on the draft pro­pos­al closed Nov. 14. Offi­cials now are review­ing the com­ments, and mod­i­fi­ca­tions could yet be made. How­ev­er, if the rules as draft­ed stay most­ly intact, as expect­ed, we could wit­ness a par­a­digm shift dri­ven by hefty new reg­u­la­tions.

New York’s effort to com­pel finan­cial ser­vices com­pa­nies to do much bet­ter at cyber­se­cu­ri­ty goes miles fur­ther than California’s pio­neer­ing data loss dis­clo­sure law. In 2003, Cal­i­for­nia law­mak­ers required com­pa­nies that lose per­son­al infor­ma­tion to inform the indi­vid­u­als whose data has gone miss­ing. And with the U.S. Con­gress in per­pet­u­al grid­lock, 46 oth­er states fol­lowed suit and passed sim­i­lar data loss noti­fi­ca­tions laws.

Relat­ed: Cal­i­for­nia tough­ens data loss dis­clo­sure rules.

Richard Borden, Robinson & Cole cybersecurity attorney
Richard Bor­den, Robin­son & Cole cyber­se­cu­ri­ty attor­ney

It’s going to be fas­ci­nat­ing to see if the cycle repeats itself. “There have been some arti­cles from the insur­ance sec­tor wel­com­ing reg­u­la­tion,” says Richard Bor­den, a cyber­se­cu­ri­ty attor­ney at Robin­son & Cole. “Oth­ers see this as over­bear­ing, espe­cial­ly for small­er enti­ties. It’s going to require a large com­pli­ance regime, and small­er com­pa­nies are going to have a lot of trou­ble with that, from an oper­a­tional and a tech­ni­cal stand­point.”

Long and detailed check­list

Under New York’s new rules, an insti­tu­tion must estab­lish a pro­gram capa­ble of ensur­ing the con­fi­den­tial­i­ty and integri­ty of its infor­ma­tion sys­tems. The scope of the new rules is broad, and the spe­cif­ic require­ments are very detailed. Min­i­mum require­ments call for pro­grams that:

• Iden­ti­fy inter­nal and exter­nal cyber risks

• Use defen­sive infra­struc­ture

• Imple­ment a cyber­se­cu­ri­ty pol­i­cy to pro­tect non­pub­lic infor­ma­tion from unau­tho­rized access

• Detect and respond to cyber­se­cu­ri­ty events while ensur­ing resump­tion of nor­mal oper­a­tions fol­low­ing such events

• Devel­op writ­ten pro­ce­dures to assess and test the secu­ri­ty of exter­nal­ly devel­oped appli­ca­tions

• Devel­op writ­ten pol­i­cy and pro­ce­dures for time­ly destruc­tion of non­pub­lic infor­ma­tion

• Estab­lish risk-based poli­cies, pro­ce­dures and con­trols to mon­i­tor activ­i­ty of autho­rized users and detect unau­tho­rized access

• Estab­lish a writ­ten inci­dent response plan

• Pro­vide for annu­al pen­e­tra­tion test­ing and quar­ter­ly vul­ner­a­bil­i­ty assess­ments of infor­ma­tion sys­tems

• Estab­lish an audit trail sys­tem that will allow for com­plete recon­struc­tion of all finan­cial trans­ac­tions fol­low­ing a cyber­se­cu­ri­ty event

• Des­ig­nate a qual­i­fied indi­vid­ual to serve as chief infor­ma­tion secu­ri­ty offi­cer (CISO) or out­source the func­tion to a third-par­ty provider.

Respon­si­bil­i­ty shifts

Your cyber­se­cu­ri­ty pol­i­cy has to be signed off not only by your chief infor­ma­tion secu­ri­ty offi­cer, but also by the heads of oper­a­tions, man­age­ment, com­pli­ance and risk,” Bor­den notes. “It changes who is respon­si­ble for cyber­se­cu­ri­ty at the insti­tu­tion. It actu­al­ly forces cyber­se­cu­ri­ty into the entire C-Suite, and then push­es it up to the board.”

New York offi­cials did not just reach into thin air to come up with these rules. They went to the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) and bor­rowed the cyber­se­cu­ri­ty poli­cies and prac­tices that the U.S.  gov­ern­ment requires all fed­er­al agen­cies to adhere to.

NIST frame­works are robust, as they are the work of a cross-sec­tion of the best-and-bright­est sub­ject mat­ter experts. Trou­ble is, out­side of the fed­er­al gov­ern­ment, NIST rec­om­men­da­tions are typ­i­cal­ly viewed as bench­marks to strive for, strict­ly on a vol­un­tary basis.

Keep in mind, New York’s new rules affect not just banks, but also insur­ance com­pa­nies, mort­gage bro­kers and asset man­agers domi­ciled in New York. “This affects 1,900 com­pa­nies with $2.9 tril­lion in assets under man­age­ment,” Bor­den says.

Bor­den says he will not be sur­prised if offi­cials con­cede to give com­pa­nies more than 180 days to come into com­pli­ance, as called for in the draft. “You have to put sev­en poli­cies in place, define your con­trols, test them, and do an assess­ment that can be report­ed up to the board,” Bor­den says. “I don’t think that can hap­pen in 180 days, even for insti­tu­tions that are most­ly ready. I think they may have to push the date out, but I don’t think they’re going to mate­ri­al­ly weak­en the require­ments.”

More sto­ries relat­ed to cyber­se­cu­ri­ty reg­u­la­tions:
Fed­er­al data breach law should be approached with cau­tion
U.S. com­pa­nies could see tighter data-pro­tec­tion rules if Europe adopts new laws
Brex­it vote will com­pli­cate, but won’t change, data pro­tec­tion laws