New York State Cybersecurity Regulations To Take Effect March 1st

The State of New York announced on February 16, 2017 that its first-in-the-nation cybersecurity regulation will take effect on March 1, 2017. These regulations are set to protect financial services, including insurers, and consumers from cyberattacks, and are designed to protect private data.
The New York State Department of Financial Services proposed regulations for banks, insurers and other financial institutions back in September 2016 and issued a final version on February 20, 2017. The proposal, although consistent with existing guidance, suggests enhanced encryption of data of all nonpublic information and improved multi-factor authentication. Further, the proposal requires that the chairperson of the board or a senior officer must submit an annual certification that the entity is complying with the regulation’s requirements.

What are the regulations?

UpGuard broke down the key elements of the proposal as follows:

1. Establishment of a cybersecurity program
2. Adoption of a written cybersecurity policy
3. Mandatory Chief Information Security Officer
4. Cybersecurity training for Employees
5. Third-party service providers risk
6. Incident monitoring and reporting
7. Information security audits

Evan Schuman of Veracode wrote that the regulations, “are not especially controversial, primarily being security best practices,” but highlighted that there is a 72-hour window in place for reporting incidents to the state. However, Schuman says, “when that clock starts is unclear.”
Schuman also highlighted that the regulations brings to light data retention and said, “[T]hese new rules will give IT a reason will keep track of these efforts or face fines.”
However, Catskill Hudson Bank CTO Ted Tomita pointed out that this is a minor inconvenience for large institutions, but makes for difficult operations for smaller institutions. PWC also pointed this out and stated in their article that the call for encryption of nonpublic information may be a challenge.

Cybersecurity training

INN asked cybersecurity experts to shed some light on what these regulations mean to businesses.
In an email to INN, Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures, said, “The new requirements will mean more compliance standards for NY financial institutions and insurers to meet. Many of these organizations are understaffed and challenged around recruiting cybersecurity and risk management personnel. This opens up a whole new practice area for cybersecurity advisory and consulting firms. Being that the NY program is the first of its kind, the state will most likely be flexible when it comes to measuring compliance.”

More importantly, Morgan says that the new requirements, “elevates cybersecurity to the C-suite and board level.”
Morgan recently wrote about security awareness training and cited that the security awareness training market is at more than $1 billion in late 2014. In the article, Morgan also stresses that awareness training “may be the world’s best ROI in the war against cybercrime.”
On the other hand, Tom Pendergast, Chief Strategist at MediaPro, told us in an emailed note: “This regulation promises to do for the financial services industry what HIPAA did for the healthcare industry: provide some clear direction as to the minimal requirements for protecting consumer data. This clarity is a good thing, for consumers and for businesses. But like HIPAA, the regulation is somewhat vague on the details, so we will need to wait for enforcement actions to see exactly what is meant by some of the requirements. If the end result is that cybersecurity best practices become as commonplace as the HIPAA privacy notice, the world will be a safer place.”
Forbes however, raised important questions on how the DFS will truly implement the new regulations, and how companies will only have a limited number of days to designate a chief information security officer, as well as implement encryption.

Bottomline

It remains to be seen what effects the new regulations will have on New York-specific private data, but at the very least, the wheels are turning towards protecting both consumers and service providers.
The regulations, however, do spell business opportunities for the cybersecurity sector. In fact, a look at the NASDAQ CTA Cybersecurity Index (INDEXNASDAQ:NQCYBR), which tracks the performance of companies that build, implement, and manage security protocols, indicates growth as the index is already up 12 percent year-to-date.
Don’t forget to follow us @INN_Technology for real-time news updates!
Securities Disclosure: I, Pia Rivera, hold no direct investment interest in any company mentioned in this article.