The EU General Data Protection Regulation (GDPR) has raised the bar for what we expect from a national data security and privacy law. The US doesn’t really have anything close (outside of HIPAA for medical PII). So it’s interesting to see some movement at the state level. Let’s now give a shout out to New York regulators for their proposed cybersecurity rules for financial companies.
Go Empire State!
Like the GDPR, the New York experiment has rules covering basic principles of data security, risk assessments and documentation of security policies, breach notifications, and designating someone to be responsible for the program.
Unlike the GDPR, it’s a far more specific set of requirements that read a little like PCI DSS and other low-level data security standards.
For example there’s a section that says the covered entity – in this case insurers, banks, and other financial companies — have to address, at a minimum 13 different areas, including data governance and classification, access controls and identity management, customer data privacy, incident response, risk assessment, and monitoring.
There are further requirements for multi-factor authentication, limits on data retention, audit trails of access to data, and restricting data access to relevant users. There’s even a rule covering annual penetration testing and quarterly vulnerability assessments. Nice work New York!
And like the GDPR, if there’s an exposure, the company has to notify regulators within 72 hours!
Chief Information Security Officer and Other Professionals
Adding more teeth to this, the regulators also say that covered financial companies will have to designate a CISO or chief information security officer who’ll be responsible for compliance.
The CISO is called on twice yearly to produce a report that includes an assessment of the overall security of the company, description of any cyber risks, and summary of any material cyber security events.
The report, by the way, will have to be filed with the state’s Superintendent of Financial Services.
In addition, the board of directors will annually review the company’s program and provide a certification to regulators. This is another way of saying the board can be held liable if there are later proved to be misrepresentations or omissions.
There are further provisions that call for the “company to employ cybersecurity personnel sufficient to manage” the cyber risk, require cyber personnel “to attend regular cybersecurity update and training sessions” and “take steps to stay abreast of changing cybersecurity threats”
How about that!
It will be a legal requirement in New York for IT security staff to improve their cyber skills and stay current.
It’s a good example of how the security catastrophes of the last few years are slowly forcing IT staff to act more like a professionals — attorneys, accountants — with serious legal obligations. That’s a good thing
The proposed regulations are making their way through the approval process – you can read the rules here. It’s currently in a 45-day public commenting period.
If the proposal is not updated after the comments are received, the regulations will go into effect in January 1, 2017 with a 180-day grace period. The first cyber certification will be due by January 15, 2018 so companies have a year after the regulations are approved to get their acts together.
Overall, this is a step in the right direction though I have some of my own quibbles. One that I’ll mention is that the New York rules have very broad definition of what has to be protected — essentially anything that’s not public. I’d be a little happier if they included standard identifiers — in other words, PII — as well.
Hey New York banks! Get a head start on the pending cyber rules with a free risk assessment.