How New York is Shaking Up Cybersecurity

September 1, 2017

Something potentially groundbreaking is happening in New York, and its impact is being felt globally. Still, if you’re not in the financial services industry, and specifically regulated by the New York State Department of Financial Services (NYDFS), you may have missed it.

What is this change? In short, it’s the first of what may become a wave of stringent state cybersecurity regulations that impose “minimum standards” on industry. Let’s briefly explore what the new rule looks like, and what this recent development may mean for the future of cybersecurity.

Start Spreadin’ the News

After a public comment period, NYDFS issued a set of regulations called “Cybersecurity Requirements for Financial Services Companies.” The individual requirements are being phased in over two years, and the first transition period, which just occurred on August 28, requires the following:

Formal Risk-Based Cybersecurity Program
14-Point Cybersecurity Policy
Seven-Point Incident Response Plan
A Qualified Chief Information Security Officer
Continuously Trained Cybersecurity Personnel
Limited User Access Privileges
72-Hour Notice of Certain Events

Fast approaching are mandatory risk assessments, continuous monitoring or annual penetration testing and bi-annual vulnerability assessments, use of multi-factor authentication and encryption, systems audit trails, applications security, vendor review and limitations on data retention. Oh, and let’s not forget, a senior official (or the Board) must certify compliance annually.

Make a Brand New Start of It

Although NYDFS could have adopted the NIST Framework instead of creating something new, it didn’t. That can spell trouble. You’ll recall that the United States does not have a single, national data breach notification law, having left the issue to be handled on a state-by-state basis. The result is that 48 states now have their own laws, and businesses are left to sort them all out. Are we about to face the same headache for cybersecurity requirements? It’s quite possible, and there already is some indication that State Attorneys General are looking to the NYDFS model as “top of the heap” when drafting data breach settlements against parties that are not financial institutions.

If I Can Make It (Apply) There, I’ll Make It (Apply) Anywhere

It’s true that NYDFS can enforce the regulation only against entities it directly supervises. However, the regulation’s impact can be felt anywhere. That may seem counterintuitive, but the reason is simple. A number of supervised entities rely upon a parent or affiliated company outside of New York (and perhaps even outside the United States) for their network infrastructure and global cybersecurity operations. Although an affiliate may fall outside of Albany’s supervisory grip, all or part of the affiliate’s program – potentially operated halfway around the world – can fall under New York’s microscope and require onerous and sensitive disclosures.

It’s Up to You

It is common to map a company’s cybersecurity program against international, national and industry frameworks and controls. If you fall under NYDFS supervision, New York now needs a column of its own. Otherwise, it’s up to you, at least for now.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

In today's world of growing dependence on digital landscape expansion, companies are becoming more reliant upon cloud-based security services that protect both the company and customers they service.

Join a fast-paced webinar on October 7 when 3xLOGIC’s experts discuss the many advantages of cloud surveillance. Learn why end users are demanding cloud solutions, and how this can empower business owners to view, manage, and share video from anywhere, at any time, on any device.

Poll

Which metric comparing peer organizations to yours would be most beneficial for your security program?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products