Having been New Jersey’s Director of Consumer Affairs, I have first-hand knowledge of exactly how much regulation is considered a dirty word in most corporate circles. That’s what makes New York State’s bold move to impose unprecedented cybersecurity requirements on the financial services sector so intriguing.
Consider that just before Christmas banking and insurance industry lobbyists made a frenzied eleventh hour attempt to block the New York State Department of Financial Services (NYDFS) from rolling out its milestone Cybersecurity Requirements for Financial Services Companies.
The lobbyists did win a delay of the start date by three months, to March 1, 2017, and also got the agency to pencil in some major revisions. Despite those concessions, NYDFS Superintendent Maria T.Vullo should be congratulated. This still is a momentous stake-in-the-ground.
Kudos to Vullo for sticking by her guns and keeping the core framework of these long-overdue cybersecurity regulations intact. Any “covered entity” that wants to do business in the Empire State will soon have to certify that it has a comprehensive data breach prevention regime in place. Here are four major takeaways to keep an eye on:
Be careful what you ask for. One significant revision was the addition of “risk-based assessments.” This enables a covered entity to tie specific security requirements to periodic risk assessments. Instead of a one-size-fits-all compliance benchmark, a risk-based approach allows specific details about the company’s data, operations and third-party partners to be factored in.
That means companies with simpler operations presumably can get by with fewer controls and audits. However, Richard Borden, a cybersecurity attorney at Robinson & Cole, says that the converse holds true, as well. Compliance requirements could mushroom if a risk assessment exercise uncovers complex exposures.
Observes Borden: “The agency’s fundamental response was, ‘If you don’t like how we did it, then do a risk assessment that covers all the topics and come up with your own controls. But, get it right, because in the event of a breach or an audit, you signed on the bottom line that you were in compliance.”
Third-party halo effect
Another new requirement holds that a covered entity must now generally account for the security policies of third-party partners. While that could turn into a burden for both parties, some legal experts also anticipate a halo effect.
“The proposed regulation indirectly imposes the cybersecurity requirements on entities not subject to regulation,” says Thomas M. Dawson, of Drinker Biddle & Reath.
In short, even companies outside of the financial sector may find themselves subject to the spirit, if not the letter, of New York’s new rules. They too may have to take steps to prevent data breaches by demonstrating use of multi-factor authentication, encryption and other security tools.
Regulations with teeth
Standby for an explosion of controlled chaos. Some 1,900 banks, insurers, mortgage brokerages and asset management firms — companies that collectively manage $ 2.9 trillion in assets – must now scramble to “establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry,” as Vullo puts it.
“This shows the agency intends for these regulations to have teeth,” says former federal cybercrime prosecutor Edward J. McAndrew, now an attorney at Ballard Spahr.
The effective date is less than three months away. It is to be followed by a series of transitional deadlines that must be met. “These new deadlines are still tight,” warns Yuliya Feldman, of Drinker Biddle & Reath. “Therefore, covered entities should begin planning soon to give themselves sufficient time to come into compliance.”
Follow the leader
Regulators from other states are glued to this drama. Some are discussing whether to extend similar requirements to other verticals, beyond the financial sector.
The drivers are certainly in place for state officials to want to do more to protect their citizens. Should New York-style rules rapidly catch on in other states things could get interesting, fast “We could see a possible balkanization of cybersecurity requirements that would be in no one’s interest,” opines attorney Dawson.
Or maybe the rapid rise of a hodge podge of state cybersecurity rules might be exactly what’s needed to compel the corporate sector to embrace cybersecurity policies and practices that supersede all mandated rules. Now wouldn’t that be something?