Something potentially groundbreaking is happening in New York, and its impact is being felt globally. Still, if you’re not in the financial services industry, and specifically regulated by the New York State Department of Financial Services (NYDFS), you may have missed it.
What is this change? In short, it’s the first of what may become a wave of stringent state cybersecurity regulations that impose “minimum standards” on industry. Let’s briefly explore what the new rule looks like, and what this recent development may mean for the future of cybersecurity.
Start Spreadin’ the News
After a public comment period, NYDFS issued a set of regulations called “Cybersecurity Requirements for Financial Services Companies.” The individual requirements are being phased in over two years, and the first transition period, which just occurred on August 28, requires the following:
- Formal Risk-Based Cybersecurity Program
- 14-Point Cybersecurity Policy
- Seven-Point Incident Response Plan
- A Qualified Chief Information Security Officer
- Continuously Trained Cybersecurity Personnel
- Limited User Access Privileges
- 72-Hour Notice of Certain Events
Fast approaching are mandatory risk assessments, continuous monitoring or annual penetration testing and bi-annual vulnerability assessments, use of multi-factor authentication and encryption, systems audit trails, applications security, vendor review and limitations on data retention. Oh, and let’s not forget, a senior official (or the Board) must certify compliance annually.
Make a Brand New Start of It
Although NYDFS could have adopted the NIST Framework instead of creating something new, it didn’t. That can spell trouble. You’ll recall that the United States does not have a single, national data breach notification law, having left the issue to be handled on a state-by-state basis. The result is that 48 states now have their own laws, and businesses are left to sort them all out. Are we about to face the same headache for cybersecurity requirements? It’s quite possible, and there already is some indication that State Attorneys General are looking to the NYDFS model as “top of the heap” when drafting data breach settlements against parties that are not financial institutions.
If I Can Make It (Apply) There, I’ll Make It (Apply) Anywhere
It’s true that NYDFS can enforce the regulation only against entities it directly supervises. However, the regulation’s impact can be felt anywhere. That may seem counterintuitive, but the reason is simple. A number of supervised entities rely upon a parent or affiliated company outside of New York (and perhaps even outside the United States) for their network infrastructure and global cybersecurity operations. Although an affiliate may fall outside of Albany’s supervisory grip, all or part of the affiliate’s program – potentially operated halfway around the world – can fall under New York’s microscope and require onerous and sensitive disclosures.
It’s Up to You
It is common to map a company’s cybersecurity program against international, national and industry frameworks and controls. If you fall under NYDFS supervision, New York now needs a column of its own. Otherwise, it’s up to you, at least for now.