Tough cyber security rules from the New York State Department of Financial Services (NYSDFS) came into effect on 1 March 2017.
The regulations, which set out wide ranging cyber security requirements for banks and insurance companies regulated by the NYSDFS are said to be the first of their kind, going far beyond anything currently required by other states.
The new rules (23 NYCRR 500) establish minimum cyber security standards and controls for banks and insurers. These include measures to prevent and respond to a data breach – such as an incident response plan – and a requirement to report a data breach to the regulator within 72 hours.
The NYSDFS initially proposed the regulation in September 2016 but revised the regulation in December 2016 after consultation, easing some requirements and giving firms more time to comply.
However, the bulk of the proposals survived and affected organisations have 180 days from the enforcement date to put their cyber security programmes in place.
Directors and Officers liability
Although the rules do not detail penalties, they do increase the accountability of senior executives in the event of a cyber incident. Bank and insurer executives are required to submit an annual cyber security certificate, attesting to their organisation’s cyber security and compliance to the rules.
The rules are risk-based - firms are required to develop cyber security programs based on their particular profile – but they are also quite prescriptive. For example, the rules set minimum standards for the use of encryption and penetration testing. They also require regulated organisations to appoint a Chief Information Security Officer, conduct periodic risk assessments, as well as have data breach policies for third-party service providers.
The prescriptive nature of the rules has drawn criticism. Some commentators argue that the rules are an unwanted distraction and only add to an increasingly fragmented regulatory landscape.
The NYSDFS regulations join the growing ranks of cyber and data protection regulation worldwide. Europe plans to implement tougher data protection laws in 2018, while Australia recently announced that it too will bring in data breach notification requirements and increased penalties.
The new cyber security requirements from the NYSDFS are a further sign of increasing data protection and cyber security regulation. This is particularly challenging for multinational companies as different regions are developing different regulations.
Given the vibrant and capable private public partnerships that exist, and the growing cyber security industry, it is unfortunate that governments feel the need to step in and be more prescriptive.
More to come
The NYSDFS rules could also soon be followed by other cyber security requirements in the US. For example, the National Association of Insurance Commissioners (NAIC) is working towards developing a data model law setting data security standards for insurers, including requirements to investigate a data breach and notifying regulators and consumers.
There are also plans for Federal cyber security requirements for financial institutions, although the future of these proposals is now in doubt. The Federal rules were criticised during a recent consultation period, not least because they will add to an existing host of regulations and industry standards.
These include those published by the National Institution of Standards and Technology (NIST) Cybersecurity Framework, the Payment Card Industry Data Security Standard, the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, and now the NYSDFS cyber security rules.
In the UK, the financial services regulator has made cyber security one of its priorities. While it does not have strict rules like the NYSDFS, it has increased requirements on banks and insurers.
For example, the Financial Conduct Authority (FCA) requires firms to report material breaches to the regulator and to share information via the Cyber Information Sharing Partnership. The Bank of England also subjects UK lenders to vulnerability testing and spot checks under its CBEST programme.
Critics of cyber regulations argue that overly prescriptive rules are counterproductive, lulling companies into a false sense of security, and reinforcing a tick-box compliance culture.
Compliance is not a substitute for security and tick-box compliance may distract from more meaningful risk management and mitigation. It would be too bad if the increasing burden of regulation results in companies focusing on compliance rather than on reducing risk.
With the increasingly prescriptive nature of cyber and data protection regulations, it will become harder for companies to escape fines and penalties for data breaches.
Against this backdrop, it is important that companies do everything possible to increase the chances of recovery under an insurance programme, to the extent that this is allowable by law.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org