NY State Regs For Financial Services Companies

Following the news that New York State’s new Cybersecurity Requirements for Financial Services Companies take effect on March 1, 2017.  IT security experts from CipherCloud, InfoArmor, NuData Security commented below.

Willy Leichter, VP of Marketing at CipherCloud:

“A state the size of New York can effectively create nationwide requirements. A similar trend started 15 years ago when California passed S.B. 1386, creating the first legal requirements for public notification of personal data breaches. This public scrutiny of data breaches has had an enormous impact on how organizations approach security, and to led to 47 US states (and many other countries) enacting similar data privacy laws.”

.

Robert Capps, VP of Business Development at NuData Security:

“Any regulatory attempt that takes cybersecurity seriously must be seriously considered. Cyber threats to financial institutions are growing steadily, and the attackers are becoming more sophisticated. Customers have a legitimate expectation of protection. Banks have an obligation to fulfill their safety and security promise. With the sheer volume, complexity, and scope of the problem, there is a perception that the dam has broken. While a seemingly strong stand may get votes, it might not necessarily solve the issue, especially when other approaches could be more effective.

In the wake of several high-profile data breaches at major financial institutions, New York State, and Governor Cuomo have determined that financial institutions must be regulated to ensure they live up to expected standards for combating cyber threats and that such systems are sufficiently architected to prevent cyber-attacks to the fullest extent possible. New York proposes that the Board of Directors of a New York licensed financial institution would have to file annual certifications with New York State Department of Financial Services (NYDFS), stating, to the best of their knowledge, that companies’ cyber programs comply with the regulations set forth.

An institution’s Chief Information Security Officer (CISO) would have to present yearly reports to the Board of Directors that assess the confidentiality, integrity, and availability of information systems. In the draft regulations, the CISO would be required to provide a detailed account of any exceptions to cybersecurity policies and procedures, identify cyber risks, assess the effectiveness of the cybersecurity program, propose steps to remediate any inadequacies identified, and include a summary of all material cybersecurity events that affected the regulated institution during the period addressed by the report.

NY may be the first State to introduce such measures, but they most certainly will not be the last. A financial institution not wanting to draw the ire of regulators will want to get on board with improving their cybersecurity programs now, as they will take some time to implement.

However, New York’s reaction seems redundant to some existing federal laws and regulations. Most institutions already have a CISO to oversee the security function, and they are responsible for the creation, operation, and auditing of security programs. Their regulatory agency has responsibility for verifying that they are following that agency’s best practices, and will be sanctioned if they do not do so.

Also of note, New York state does not have jurisdiction over any institution that is chartered at the Federal level. Therefore, Governor Cuomo’s ability to address issues with large bank breaches like JP Morgan or HSBC is questionable.  The NY Department of Financial Services oversees a handful of local institutions, so the impact of such regulation may be limited.

With 1 in 16 Americans hit with some form of identity crime in 2016, it’s no wonder consumers are fed up and are demanding results from their lawmakers. Given the impacts on consumers, we’re encouraged to see lawmakers take balanced efforts toward combatting identity theft. Customer loyalty is the lifeblood of banking. Therefore, it will be doubly important to ensure that any solutions deployed to meet these standards can provide better experiences for customers and are as low friction as possible.”

Christian Lees, CTO and CSO at InfoArmor:

“This is an example of progressive regulation coming into effect much like the Gramm-Leach-Biley act. There is a good chance that New York’s proposed rules could become the new industry standard, not only within the financial sector but across all industries requiring more advanced cyber abilities and third party management.”

.