Reworked N.Y. Cybersecurity Regulation Takes Effect in MarchState Eased Off More Prescriptive Guidance After Industry Voiced Concerns
New York's controversial new cybersecurity regulation will come into effect March 1, imposing new rules on the banking and insurance sectors with the aim of better protecting institutions and consumers against cyberattacks.
The regulation, believed to be the first of its kind adopted by a U.S. state, highlights continuing frustration over data breaches and concern about whether private industry is moving fast enough to erect defenses against hacking.
"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks," says New York Governor Andrew M. Cuomo.
The regulation includes requirements that financial and insurance institutions retain a CISO, report cybersecurity incidents within 72 hours and use multifactor authentication.
After input from private industry, the state eased off some of its more prescriptive proposals, such as a sweeping definition of what constitutes non-public information and specific requirements for technology vendors (see Critics Blast New York's Proposed Cybersecurity Regulation).
But the regulation will still be challenging for some organizations to implement, says Luke Dembosky, a partner with the Washington-based law firm Debevoise & Plimpton.
"It's one of the most comprehensive cybersecurity regulations in the financial sector," says Dembosky, who is a former cybercrime prosecutor with the U.S. Justice Department.
What Has to Be Done
Many of the requirements in the new New York regulation are steps that larger financial institutions have likely already taken.
For example, organizations must develop a cybersecurity program, including a written policy that addresses aspects such as access controls, business continuity, asset inventory and data governance. The CISO must send a report at least annually to the organization's board of directors, the new regulation states.
The cybersecurity program must include a periodic risk assessment plus annual penetration tests. Encryption must be used for data in transit and at rest, the new regulation states. Organizations also must develop a written incident response plan.
By Feb. 15 every year, organizations must submit a statement to New York's Superintendent of Financial Services that certifies compliance.
Although the regulation takes effect March 1, organizations have 180 days to comply. Other built-in grace periods give organizations up to two years to come into compliance with some provisions. And smaller organizations can apply for exemptions.
Regulation Raises Concerns
The American Banker's Association says that while the regulation takes a risk-based approach, which it supported, it will add a significant burden to banks. The group is also concerned that institutions haven't been given enough time to make changes.
"In addition, the rules could come in conflict with existing federal regulations, and may not provide enough flexibility to address the constantly evolving nature of cyber threats," according to a blog post in the ABA's Banking Journal.
In October, federal banking regulators proposed new cybersecurity standards for the nation's largest banks to ensure they are adequately addressing risk management, business continuity and incident response. It could be a year or more, however, before a final version of the proposed standards is published. The Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency - the three Federal Financial Institution Examination Council agencies that published the proposal for new standards - on Jan. 17 closed the comment period. Comments will now be reviewed by all five FFIEC agencies before new mandates are finalized and published (see Cyber Mandates for Big Banks Would Build on Earlier Guidance).
It's possible that other states may look to New York to develop their own regulations, Dembosky says. But the risk is that organizations will focus too much on ticking boxes for compliance, he contends.
"No one wants the goal to be compliance for compliance's sake," he says. "The more alignment there is and consistency among regulatory frameworks, the better it will be. You don't want to devote all of your resources just trying to be compliant. You want to have in place the best practices to make the organization more secure."