Looking Ahead: The Intersection Between Cyber Security Regulation and the Financial Sector

By Danny Restivo

On September 13, The New York State Department of Financial Services (NYDFS) proposed a law calling for all regulated financial institutions in the Empire State to enact a list of cybersecurity measures.[1] The proposal requires banking, insurance, and financial services companies under the jurisdiction of the NYDFS to adopt and maintain a strong cybersecurity program.

Among the guidelines, the proposed regulation requires organizations (termed as “covered entities”) to designate a Chief Information Security Officer (CISO) to oversee cyber security programs and procedures. The mandates also include oversight measures for information shared by or with third parties, including law firms, accounting services, and marketing groups.[2]

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Andrew M. Cuomo in a statement from the New York State Department of Financial Services. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”[3]

Currently, the proposed regulation is open to a 45-day public commenting period after it was published on September 28 in the New York State Register. If the proposal is adopted, covered entities will have 180 days from January 1, 2017 to comply with its requirements.
The proposal aims to protect consumers, as well as financial institutions from an increase in cyber-attacks. In 2015, large banks in the Philippines, Vietnam, Bangladesh and Ecuador experienced major hacks that netted millions for cybercriminals.[4]  In light of these high-profile incidents, a number of large financial institutions have invested in secure digital infrastructures. As a result, many organizations already fall in-line with New York’s proposal. However, many smaller covered entities have not made the same investments, and if the law is approved, they will be forced to make costly upgrades.[5]
Critics opposed to the regulation say the new guidelines overlap with mandates set forth by the Federal Financial Institutions Examination Council (FFIEC), an interagency that includes the Federal Deposit Insurance Corporation, the Federal Reserve Board of Governors and the Consumer Financial Protection Bureau.[6] Although the FFIEC proposal has many of the same requirements, the NYDFS goes further in calling for cyber security assessments, notification of authorities within 72 hours of a breach and the appointment of a CISO.

While Cuomo dubbed the legislation a “first-in-the-nation,” other states have enacted similar regulation and guidance regarding cybersecurity. The Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth requires every business holding personal information on residents to comply with certain security safeguards.[7] Moreover, state authorities around the country have provided organizations with similar instructions for the adoption of cybersecurity standards. In California, the Attorney General’s office publishes an annual report that includes specific practices for “reasonable security measures” that align with the states information security statutes. These recommendations are not requirements, allowing organizations the flexibility to craft a cybersecurity program that best responds to their industry-specific vulnerabilities.[8]

Eric Martins and Brett Goldman of DMGS agree: “Ultimately, the NYDFS is far more prescriptive than any current state-authored regulation,”  said Martins. While organizations outside the Empire State may want to ignore the NYDFS proposal, other governmental agencies have recognized the need to establish “minimum standards” for the protection of consumer-sensitive information.[9] If approved, New York’s cyber security regulation will be the first and it will serve as an important model for other the efforts of other states’ that pursue comparable legislation. “I think the bigger question here” adds Goldman, “is how quickly other states will take notice and make sure that their financial institutions and other businesses are proactive in protecting themselves from Cyber vulnerabilities”

[1] “Governor Cuomo Announces Proposal of First-In-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions.” New York Department of Financial Services, Sept 13, 2016. https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-first-nation-cybersecurity-regulation-protect-consumers-and

[2] Bucsescu, Marle and Waxman, Matthew. “NY State Cyber Regulations for Banks.” Lawfareblog.com, Sept. 19, 2016. https://www.lawfareblog.com/ny-state-cyber-regulation-banks-model.

[3]Cuomo

[4] Pagliery, Jose. “Global Banking System: What you need to Know” CNN Money. May 28, 2016. http://money.cnn.com/2016/05/27/technology/swift-bank-hack/

[5] Taylor, Harriet. “Critics are Skeptical of New York’s Proposed Financial Security Laws.” CNBC. September 26, 2016. http://www.cnbc.com/2016/09/26/critics-are-skeptical-of-new-yorks-proposed-financial-cybersecurity-rules.html

[6] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L. “NY Proposes Regulations Requiring Financial Services Companies to Implement Cyber Security Measures.” Consumer Financial Services Law Monitor. September 26, 2016. http://www.consumerfinancialserviceslawmonitor.com/2016/09/ny-proposes-regulations-requiring-financial-services-companies-to-implement-cyber-security-measures/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

[7] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L

[8] Harris, Kamala.  “California Data Breach Report: February 2016.” California Department of Justice.
https://oag.ca.gov/breachreport2016

[9] Roberts, Jeff John. “Look Out Companies, Here Comes the Cyber Regulations.” Fortune, September 25, 2016.
http://fortune.com/2016/09/25/cyber-regulations/

Brett Goldman edited this report

Washington and Health Care News

 

Election 2016

According to FiveThirtyEight modeling based on current polling, support for Clinton has steadily increased after the first presidential debate. Clinton is projected to receive 341 electoral votes, with Trump receiving 197. The second presidential debate held in a town hall format in St. Louis, MO featured discussions of tax policy & the ongoing Syrian Civil War. The final presidential debate will be held on October 19th at 9:00 pm ET at the University of Nevada in Las Vegas, NV.

Lame Duck Appropriations Process

House and Senate negotiators have the giant task in the lame-duck session of trying to complete the 11 remaining fiscal 2017 appropriations bills — a task made more difficult by a $4 billion difference in the way the House and Senate draft bills squeeze in extra spending. Both sets of draft appropriations bills adhere to the $1.07 trillion budget cap. To accomplish that, the Senate bills make use of $20.1 billion in phantom mandatory cuts, compared with $16.3 billion of such cuts in the House bills.

The cuts are known as Changes in Mandatory Programs (CHIMPs) and generally allow appropriators to claim savings by capping mandatory spending that wasn’t expected to take place anyhow. Critics deride the practice as gimmickry. Last year, the House and Senate adopted a budget resolution limiting CHIMPs in the fiscal 2017 bills to $19.1 billion, meaning the Senate bills would technically be in violation of the rule. Conservatives originally had pushed for a $16 billion limit on CHIMPs this year.

 

The existing restriction can be waived by 60 votes in the Senate, something an omnibus spending bill would need in any case to win passage in that chamber. The biggest difference between the House and Senate is apparent in the Transportation-Housing and Urban Development bill, S. 2844, as demonstrated by an August list of CHIMPS from the Office of Management and Budget.

Half of Medicare Advantage Drug Plans Get High CMS Rating

Nearly half of all Medicare Advantage plans with prescription drug coverage (49 percent) received a four-star or higher ranking from the CMS for the 2017 plan year, according to data released today. MA plans with drug coverage on average made marginal gains in CMS’s quality rating system, but Part D drug-only plans made more significant gains.

The number of MA plans with drug coverage that garnered ratings of four or more stars (out of a total of five) for the 2017 plan year was roughly equal to the 2016 plan year numbers. Star ratings might harm the enrollment and revenue for MA plans that received low star ratings. Prominent Medicare plan issuer Humana saw its ratings drop, which the company said may have an impact on its enrollment and revenue.

The star ratings are designed to measure the quality of the MA plans and help beneficiaries make coverage decisions. The star ratings grade MA plans on a variety of metrics, including clinical quality and patient satisfaction. Medicare Advantage enrollment is expected to hit 18.5 million in 2017, a 60 percent increase from 2010, according to a blog post from Sean Cavanaugh, the CMS’s deputy administrator and director of the Center for Medicare.

Average star ratings for MA plans with prescription drug coverage have jumped from 3.86 for the 2014 plan year to the current 4.0 for the 2017 plan year, the CMS said. Star ratings for Medicare Part D plans were also released, with 49 percent of plans receiving four or more stars for the 2017 plan year. The average star rating for Part D plans increased from 3.05 in 2014 to 3.55 for 2017.

FDA Left Out of Zika Emergency Funds

The FDA is aiding the fight against the Zika virus without any dedicated Zika funding in the new fiscal year. The recently approved $1.1 billion package of federal funding to respond to the Zika outbreak is expected to generate more tests and vaccine candidates. However, that funding doesn’t cover the Food and Drug Administration’s costs in reviewing new policies and diagnostics and vaccines.

The agency already has spent millions of dollars on Zika work, an agency spokeswoman told Bloomberg BNA. In addition, an advocate of more FDA funding said there already is a “surge of work” on Zika at the agency. Congress provided $1.1 billion at the end of September to respond to the outbreak of the Zika virus as part of the continuing resolution (H.R. 5325) to keep the government running through early December. That funding, which came after months of fighting among Congress over provisions attached that funding, allows the National Institutes of Health to continue its pursuit of a Zika vaccine, and helps the Centers for Disease Control and Prevention with its public health response (14 PLIR 1374, 10/7/16).

As of late September, the FDA has spent $5 million in annual resources and “utilized” more than 400 staff members to respond to the Zika virus, according to FDA estimates. “Because additional funding to support Zika virus response activities was not provided to the FDA under H.R. 5325, the FDA will continue to leverage funding from its base resources to sustain response activities,” said FDA spokeswoman Tara Goodin. “Sustaining scaled-up Zika response activities using current base resources is a challenge and requires the FDA to reprioritize work in other important areas, as well as limiting the FDA’s ability to support highly targeted regulatory science research that is required for the efficient development and regulatory review of medical products for Zika virus disease.”

The FDA describes regulatory science as the science of developing new tools, standards, and approaches “to assess the safety, efficacy, quality, and performance of all FDA-regulated products.”

John Zang contributed to this report. 

Weekly Congressional and DC Update

Election 2016

According to FiveThirtyEight modeling based on current polling, Clinton and Trump were being given nearly 50-50 chances of winning leading up to their first debate on Sept 26. The debate featured discussion of both trade policy, the criminal justice system, and US foreign & martial policy. Since the debate, Clinton’s position improved slightly, but is only marginally better than Trump; she is projected to receive 46.5% of the vote, with Trump receiving 44.3%, and Gary Johnson 7.9%. 

Congress Averts Shutdown by Clearing Stopgap Bill With Zika Cash

Congress sent President Barack Obama a stopgap spending bill on Wednesday after lawmakers reached a bipartisan deal to keep the government funded through Dec. 9. In its last vote before the November election, the House passed the measure 342-85 late Wednesday, following a favorable Senate vote earlier in the day. The White House indicated Wednesday that Obama would sign the measure.

The measure, which averts a partial government shutdown, also includes funding to fight the Zika virus and support veterans programs, and assist with flood damage in Louisiana and several other states. The bill’s passage represents a victory for Democrats, who got much of what they had been demanding for months — significant funding to combat Zika without barring money going to Planned Parenthood, which provides women’s health services including abortion. They also beat back numerous attempts by Republicans to score policy victories in the bill, including efforts to stop the privatization of internet domain name assignments.

Senate Majority Leader Mitch McConnell of Kentucky, was able to avoid a politically volatile shutdown and allow vulnerable Republican senators to return home to campaign, while House Speaker Paul Ryan of Wisconsin skirted a rebellion by conservative members seeking a six-month stopgap. The Dec. 9termination date means that Congress will rejoin the fight over government funding for the rest of the fiscal year after the November election. Whether Hillary Clinton or Donald Trump wins the presidency will largely determine whether spending bills are completed then or if decisions are pushed into next year, a more likely scenario if Trump wins.

Justice Against Sponsors of Terrorism Act

The House & Senate successfully overrode President Obama’s veto of S. 2040, an act which would allow victims of terrorist attacks on US soil to sue foreign government officials that funded or aided in the execution of the attacks. Congress’s override vote marks the first time that President Obama’s veto has been overruled during his presidency. The bill is broadly worded, but was passed in the House & Senate in response to Saudi Arabian government officials’ funding of the operatives involved in the September 11 attacks on the World Trade Center. President Obama had expressed concerns about the law’s potential for blowback, presenting the possibility of foreign governments subjecting US officials to lawsuits regarding foreign US military & intelligence operations.

Pentagon’s 5,000-Strong Cyber Force Passes Key Operational Step

A 5,000-person Pentagon force created to bolster military computer networks and initiate cyber attacks against terror groups should be ready to carry out its mission by the end of the week, a key step in improving the U.S.’s ability to respond to hacks by overseas adversaries.

The Cyber Mission Force will reach “initial operational capability” by Friday, said Colonel Daniel J.W. King, a Cyber Command spokesman, in an e-mail. The group’s 133 teams have met basic criteria on personnel, training, resources and equipment, but all of them aren’t necessarily ready to launch attacks, he said.

The force, which falls under the U.S. Cyber Command created in 2009, likely will focus on the highest priorities, such as risks from Russia, China, Iran and terrorist groups including Islamic State. Previously, cyber operations were scattered in silos across Cyber Command, the NSA and other military branches. Officials plan to expand the force by another 1,200 people as part of the process of becoming fully combat ready.

NJ Legislative Alert: A4093 Concerning Scrap Tire Recycling

A4093 Concerning Scrap Tire Recycling

A4093 is an Act aimed at amending and supplementing New Jersey’s recycling laws to include scrap tires on the list of items legally required to be recycled. This Act concerns the Department of Environmental Protection, scrap tire haulers, scrap tire facilities, and New Jersey recycling centers.
A4093 seeks to:

  • Legally obligate the recycling of scrap tires
  • Prohibit disposal of scrap tires as solid waste
  • Institute a Department of Environmental Protection (DEP) system of scrap tire tracking, collection, recycling, and responsible disposal within 180 days of A4093 enactment
  • Require scrap tire haulers and recycling centers to be licensed by the DEP within 180 days of A4093 enactment
  • Require New Jersey district recycling plans to include source separation of scrap tires from solid waste stream
  • Implement a system of fines of up to $25,000 dollars for violation of A4093
  • Ensure no person in the state of New Jersey knowingly dispose of scrap tires as solid waste after January 1st, 2017
  • Prevent illegal dumping of scrap tires

As mentioned in A4093, the recycling and reuse of scrap tires provides a number of benefits, while limiting landfill overflow. Recycled tires can be used as playground cover material, alternative fuel, and in civil engineering applications, which all could benefit New Jersey greatly.

Status: A4093 has been referred to Assembly Environment and Solid Waste Committee for further review.

 

Billy Hoffer Contributed to this Report

NJ Legislative Alert: A4158 NJ Call Centers Job Act

A4158 NJ Call Centers Job Act

A4158 is a proposed act in New Jersey that seeks to incentivize call center job retention by utilizing a financial reward and punishment system for call center employers. Under this Act, call centers refer to any office employing 50 or more people who receive phone calls or electronic communications for the purpose of providing customer assistance or other services.

A4158 seeks to:

  • Require outsourcing call center employers to notify the Commissioner of Labor and Workforce Development 90 days prior to the transfer of operations
  • Punish call center employers who outsource the number of employees handling 20% or more of the annual communication volume to foreign countries
  • Bar outsourcing call centers from receiving state grants, guaranteed loans, tax benefits, or any other financial assistance for 36 months after notifying the commissioner of said outsourcing
  • Require outsourcing companies to return unamortized state funds awarded them through state grants, guaranteed loans, tax benefits, or any other financial assistance
  • Give preference when awarding state contracts to call centers retaining jobs in New Jersey
  • Continue to give funds to workplaces for the purpose of supporting training and hiring initiatives including but not limited to veterans, minority groups, and women, regardless of being on the outsourcing companies list

A4158 is aimed at curbing the current trend of outsourcing New Jersey jobs to foreign countries with lower wages. This Act punishes outsourcing companies financially to make operation transfer more expensive than keeping jobs in the state of New Jersey. ·
Current Status: Introduced and referred to Assembly Labor Committee for review

NJ Legislative Alert: A4056 Concerning Massage and Bodywork Therapy

A4056 Concerning Massage and Bodywork Therapy

A4056 is a proposed amendment to the Massage and Bodywork Therapist Licensing Act (P.L. 1999, c.19 (C.45:11-60). Under current law, those seeking to obtain a license in Massage and Bodywork Therapy are required to  complete 500 hours of class study OR successfully complete a comprehensive written exam.

A4056 seeks to:

  • Require applicants for licensure to complete 500 hours of in class study ANDsuccessfully complete a comprehensive written exam
  • Remove provision in current law that provides that the successful completion of any such examination may have been accomplished before the effective date of the act

Status:   A4056 has been referred to Assembly Regulated Professions Committee for further review.

For more information, please contact Brett Goldman with DMGS at 215-979-1326 or emailbjgoldman@dmgs.com

Billy Hoffer Contributed to this Report 

NJ Legislative Alert: S2533 Contractors Registration Act

S2533 Contractors  Registration Act is a proposed piece of legislation concerning the requirements of residential general contractors and home renovators. This law aims to better protect the consumer while also updating regulations to ensure contractors are fully covered while completing jobs in a safe and legal manner.
S2533 seeks to:

  • Require contractors to carry a bond amounting to a minimum of 50,000 dollars to provide restitution in the event of a violation of “Contractor’s Registration Act”
  • Rewrite the contractor’s “notice to consumer” regarding the work agreed to be completed with the intention of allowing the consumer a better understanding of state regulation and easier avenue to cancel the work
  • Ensure contractors complete jobs by creating a series of fines of up to 20,000 dollars

Current Status: Referred to Senate Commerce Committee
For more information, please contact Brett Goldman with DMGS at 215-979-1326 or emailbjgoldman@dmgs.com

Billy Hoffer Contributed to this Alert