Looking Ahead: The Intersection Between Cyber Security Regulation and the Financial Sector

By Danny Restivo

On September 13, The New York State Department of Financial Services (NYDFS) proposed a law calling for all regulated financial institutions in the Empire State to enact a list of cybersecurity measures.[1] The proposal requires banking, insurance, and financial services companies under the jurisdiction of the NYDFS to adopt and maintain a strong cybersecurity program.

Among the guidelines, the proposed regulation requires organizations (termed as “covered entities”) to designate a Chief Information Security Officer (CISO) to oversee cyber security programs and procedures. The mandates also include oversight measures for information shared by or with third parties, including law firms, accounting services, and marketing groups.[2]

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Andrew M. Cuomo in a statement from the New York State Department of Financial Services. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”[3]

Currently, the proposed regulation is open to a 45-day public commenting period after it was published on September 28 in the New York State Register. If the proposal is adopted, covered entities will have 180 days from January 1, 2017 to comply with its requirements.
The proposal aims to protect consumers, as well as financial institutions from an increase in cyber-attacks. In 2015, large banks in the Philippines, Vietnam, Bangladesh and Ecuador experienced major hacks that netted millions for cybercriminals.[4]  In light of these high-profile incidents, a number of large financial institutions have invested in secure digital infrastructures. As a result, many organizations already fall in-line with New York’s proposal. However, many smaller covered entities have not made the same investments, and if the law is approved, they will be forced to make costly upgrades.[5]
Critics opposed to the regulation say the new guidelines overlap with mandates set forth by the Federal Financial Institutions Examination Council (FFIEC), an interagency that includes the Federal Deposit Insurance Corporation, the Federal Reserve Board of Governors and the Consumer Financial Protection Bureau.[6] Although the FFIEC proposal has many of the same requirements, the NYDFS goes further in calling for cyber security assessments, notification of authorities within 72 hours of a breach and the appointment of a CISO.

While Cuomo dubbed the legislation a “first-in-the-nation,” other states have enacted similar regulation and guidance regarding cybersecurity. The Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth requires every business holding personal information on residents to comply with certain security safeguards.[7] Moreover, state authorities around the country have provided organizations with similar instructions for the adoption of cybersecurity standards. In California, the Attorney General’s office publishes an annual report that includes specific practices for “reasonable security measures” that align with the states information security statutes. These recommendations are not requirements, allowing organizations the flexibility to craft a cybersecurity program that best responds to their industry-specific vulnerabilities.[8]

Eric Martins and Brett Goldman of DMGS agree: “Ultimately, the NYDFS is far more prescriptive than any current state-authored regulation,”  said Martins. While organizations outside the Empire State may want to ignore the NYDFS proposal, other governmental agencies have recognized the need to establish “minimum standards” for the protection of consumer-sensitive information.[9] If approved, New York’s cyber security regulation will be the first and it will serve as an important model for other the efforts of other states’ that pursue comparable legislation. “I think the bigger question here” adds Goldman, “is how quickly other states will take notice and make sure that their financial institutions and other businesses are proactive in protecting themselves from Cyber vulnerabilities”

[1] “Governor Cuomo Announces Proposal of First-In-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions.” New York Department of Financial Services, Sept 13, 2016. https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-first-nation-cybersecurity-regulation-protect-consumers-and

[2] Bucsescu, Marle and Waxman, Matthew. “NY State Cyber Regulations for Banks.” Lawfareblog.com, Sept. 19, 2016. https://www.lawfareblog.com/ny-state-cyber-regulation-banks-model.

[3]Cuomo

[4] Pagliery, Jose. “Global Banking System: What you need to Know” CNN Money. May 28, 2016. http://money.cnn.com/2016/05/27/technology/swift-bank-hack/

[5] Taylor, Harriet. “Critics are Skeptical of New York’s Proposed Financial Security Laws.” CNBC. September 26, 2016. http://www.cnbc.com/2016/09/26/critics-are-skeptical-of-new-yorks-proposed-financial-cybersecurity-rules.html

[6] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L. “NY Proposes Regulations Requiring Financial Services Companies to Implement Cyber Security Measures.” Consumer Financial Services Law Monitor. September 26, 2016. http://www.consumerfinancialserviceslawmonitor.com/2016/09/ny-proposes-regulations-requiring-financial-services-companies-to-implement-cyber-security-measures/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

[7] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L

[8] Harris, Kamala.  “California Data Breach Report: February 2016.” California Department of Justice.
https://oag.ca.gov/breachreport2016

[9] Roberts, Jeff John. “Look Out Companies, Here Comes the Cyber Regulations.” Fortune, September 25, 2016.
http://fortune.com/2016/09/25/cyber-regulations/

Brett Goldman edited this report

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s