New York State’s Cybersecurity Regulations May Prove to be National Model

October 23, 2017

On August 21, 2017 Yu Pingan, a 36 year old Chinese national, was arrested at Los Angeles International Airport by federal agents. Yu was charged with providing hacking tools used to breach major U.S. corporations and was linked to the 2015 data breach of the U.S. Office of Personnel Management that saw the theft of security clearance records of millions of American government employees. Yu’s arrest was possible by the Computer Fraud & Abuse Act, a 2015 agreement between Chinese President Xi Jinping and President Obama to stop the theft of industrial trade secrets.

With the recent hack of Equifax potentially exposing the personal information of up to 150 million, cybercrime has been on the rise in recent years. Sophisticated cyberattacks are being carried out by nation states, such as Iran, China, Russia, and North Korea. Reflecting the growing concern, on March 1st 2017, New York’s Department of Financial Services (“DFS”) issued new cybersecurity regulations known as 23 NYCRR Part 500. The DFS, known as a leader among states in emerging compliance, wanted to be as comprehensive as possible as it imposed unprecedented obligations on covered financial institutions (about 1,900 companies with $2.9 Trillion (USD) in assets).

Developed from National Institution of Standards and Technology (“NIST”) standards, the regulation holds banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data. It also regulates who is responsible for a breach, while making companies have awareness and an action plan that can ultimately be escalated to the board. The regulation forces companies to define criteria, have an incident response policy and update vendor management with minimum standards to do business with financial institutions. Covered firms will have until March 1, 2019 for full compliance with the new regulations when the two year transition period ends.

Four Key Areas, Similar to AML Regulations

To stay compliant with the new regulation financial firms will need to address four key areas: adopt a cyber security policy, establish a cyber security program, appoint a Chief Information Security Officer (“CISO”), and manage third party service providers which will include annual penetration tests and bi-annual vulnerability assessments. The criteria used to regulate the risk is similar to requirements under BSA/AML regulations.

Under the new DFS scheme, company representatives must certify compliance with the regulations on an annual basis, which if done otherwise could provide the basis for possible claims that could be made against the regulated firms for breach of such certification. Enforcement falls under the New York Banking Law, New York Insurance Law and laws that contain individual civil and criminal penalties for intentionally making false statements to the DFS. Covered firms operating as a regulated entity of the DFS will be faced with a multitude of responsibilities in order to fulfill their compliance requirements under the new rules. They will be required to map internal and external products and devices that store data, in addition to keeping a log and requiring that company equipment used will be covered under a data security policy while ensuring data encryption is utilized. The regulation is forcing covered entities that are required to submit the first certification after the effective start date in February 2018 to future-proof their businesses by enacting policies now. And, as a reaction to delayed notification from past cyber breaches, the new regulation also requires that covered firms notify authorities within 72 hours.

There is a strong probability that New York’s cybersecurity regulation will influence state and federal cybersecurity regulations in the near future. How financial institutions react to this burgeoning issue will depend on their willingness to invest in the resources necessary to mitigate its cyber security risks.