These days, cybersecurity is a hot-button issue in policy circles. Look no further than the US presidential debates, where our two candidates have highlighted the need to address hackers, security breaches and even foreign nations that may be using sophisticated cyber tactics to influence the outcome of the upcoming November elections. The pressure to get policies and systems in place to confront these threats is real. Some policy leaders, like those in New York, are not deferring to the federal government to take the lead.
On September 13, the New York Department of Financial Services (NYDFS) proposed first-of-its-kind cybersecurity rules covering a wide range of banks, insurers and financial services companies under its jurisdiction. The issuance of the proposed regulations follows a series of industry surveys and discussions with its regulated entities over the course of several years that provided insights on their cybersecurity programs, related costs and future plans.
At first blush, the NYDFS proposal appears to establish foundational cybersecurity requirements that are consistent with existing guidelines and industry best practices. For example, the proposal requires regulated entities to implement a cybersecurity program that is in alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. In addition, the proposal calls for the implementation and maintenance of a written cybersecurity policy that addresses a wide range of areas such as information security , data governance, vendor management, customer data privacy and incident response. These requirements are consistent with ISO 27001 standards and leading industry practices.
However, the NYDFS introduces many new prescriptive requirements that go beyond any current regulatory guidance or industry practices. The following are a few of the most widely discussed changes:
- Enhanced multi-factor authentication. Currently, multi-factor authentication is only required for a limited subset of external applications such as internet banking channels. The NYDFS proposal requires multi-factor authentication for any users accessing internal systems from an external network and for privileged access to database servers.
- Data encryption. The NYDFS requires data encryption not just for data in-transit but also for data at-rest. The requirements also mandate that organizations include these enhanced standards in their contracts with third-party service providers.
- Annual certification. The proposed rules establish an annual certification process similar to Sarbanes Oxley by requiring the Board of Directors or a senior officer to certify annually that the company’s cybersecurity program meets the New York standards. The current proposal is silent on whether this certification could subject signatories to individual liability in cases where the program is found to be deficient.
- Cyber incident reporting. Organizations would be required to notify NYDFS within 72 hours of cybersecurity events that have a reasonable likelihood of materially affecting the normal operation of the entity or that affect nonpublic information. Nearly every state has data security breach notification laws that set different standards on when notice may be given to consumers and state authorities, and under what circumstances. The proposal adds new standards to the regulatory maze of notification requirements.
The federal government is currently engaged in myriad activities aimed at developing a comprehensive, uniform approach to cybersecurity standards. FICO recently submitted comments to the Commission on Enhancing National Cybersecurity, which is working on a report for President Obama with a set of recommendations; these will serve as a blueprint for the next Administration for strengthening cybersecurity in both public and private sectors.
Coordinated federal efforts are important, but as we have seen in New York, the states may not wait around for federal action. Given the unprecedented scope and prescriptive nature of the NYDFS proposal, there will likely be a wave of public comments in advance of the November 12, 2016 comment deadline. With compliance required just 180 days after the proposal’s January 1, 2017 effective date, all eyes will be on the Empire State to see how its final rules shape the evolving cybersecurity policy landscape.