New York Proposed Cybersecurity Regulations: A Predictor of Things to Come for the Finance and Insurance Industries
The updated notice and comment period on the New York Department of Financial Services’ (DFS) proposed cybersecurity regulations closed effective January 27, 2017. If the regulations are adopted, they will go into effect March 1, 2017, and cover New York state-regulated financial institutions, including banks and insurers doing business in New York. These covered entities will have 180 days to comply.
The proposed regulations would be the most prescriptive data security requirements yet to be imposed. They would require all covered financial institutions and insurers to establish and maintain cybersecurity programs and policies addressing a list of minimum requirements, “to the extent applicable to the Covered Entity’s operations,” including:
- Data governance and classification
- Systems and network monitoring
- Physical security and environmental controls
- Risk assessment
- Vendor security
- Incident response
Crucially, the proposed regulations put responsibility squarely on “senior officers,” or the board of directors or another governing body, to review and approve these policies. Similarly, entities are required to designate a Chief Information Security Officer (CISO), who must submit an annual report to the board.
Unlike the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other data protection rules, the proposed regulations would specifically obligate covered financial institutions and insurers to require multi-factor authentication – in most cases, a password plus physical possession of a company-provided device (like a laptop or smartphone) – for external access to their systems (absent written approval from the CISO), and risk-based authentication – a system that detects and reacts to anomalies in individuals’ access patterns (like logging in from an unfamiliar location) – for access to certain web applications.
Many of these proposed requirements – and the brief summary above only scratches the surface – fall into the category of items that professional, security-minded companies are likely already doing, such as annual penetration testing (i.e., testing systems for vulnerabilities that a hacker might exploit) and thoughtfully limiting employees’ access privileges based on their roles. Given this precedent and New York’s business capital status generally, the New York proposed regulations are likely to have reverberations throughout the financial, banking and insurance industries, in other sectors and in other states.
In a world of vague “reasonable security” obligations, a black-and-white list of prescribed requirements is likely to be widely adopted as reflecting “best practices,” and companies that do not follow them may be subjecting themselves to increased liability in the event of a data breach or other hacking incident, even outside of New York.
* * *
Post & Schell’s Information Privacy & Security Group can provide counsel to and collaborate with companies confronting the transition that the DFS proposed regulations will necessitate. Specifically, we can help coordinate companies’ internal reviews, draft cybersecurity policies and procedures, conduct training to bring companies into compliance with the proposed regulations and bring in cybersecurity technical personnel if required. Our team has a broad range of experience – from state regulatory compliance, to federal enforcement, to civil litigation – and can quickly mobilize should a client find itself under a hacking attack, regulatory scrutiny, the subject of an audit or facing enforcement action over its data security practices. And in the unfortunate event of a cybersecurity incident, we can help address the aftermath, leading efforts to comply with an array of breach notification laws, contain and mitigate damage from the breach, and deal with any public relations fallout. Feel free to reach out to the group’s Co-Chairs, Steve Fox, Cindy Haines, or Abe Rein should you have any questions.
Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.
About the Authors
Steven J. Fox is a Principal in the Firm's Business Law & Litigation Department, Chair of the Firm’s Information Technology Practice Group, and Co-Chair of its Information Privacy & Security Practice Group. Mr. Fox is an acknowledged and well-known national authority on legal issues regarding information technology, data privacy, and healthcare information technology. Since 1990, he has been assisting clients with legal issues and strategic counseling involving technology, healthcare information systems, data privacy matters, healthcare regulatory compliance, and e-commerce.
Abraham J. Rein is a Principal in the Firm's Internal Investigations & White Collar Defense Group, Co-Chair of its Information Privacy & Security Group, and a member of the Firm's Diversity and Inclusion Committee. He focuses particularly on the intersection of technology and the law, advising clients on legal aspects of data security, social media compliance, electronic discovery, the application of certain constitutional rights in a digital era, and related topics.