The New York State Department of Financial Services (DFS), has implemented a new regulation requiring all its supervised companies to comply with the Financial Services' Cybersecurity Requirements which goes into effect March 1, 2017. This is being publicized as the “First-in-the-Nation Proposed Rule Aims to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises.[1]”
This will have far-reaching effects, not only to the supervised companies, but also the numerous service providers of those companies.
Is this regulation good?
Considering that most financial and insurance institutions collect sensitive information (i.e. name, date of birth, social security number, account numbers, etc.) they are obligated to protect this information by implementing 'reasonable' safeguards to ensure this information is protected from unauthorized access and use. Reasonable refers to the legal principle that an action is judged based on what a reasonable person would do under similar circumstances.
The DFS regulation provides more definition around the minimum controls needed to protect their constituents. One might ask if these “requirements” are any different than what is reasonable. To me, as a security expert, I don't disagree what is being requested. In fact, many large organizations already have these controls in place. However, for small and midsize businesses directing their resources towards building revenue, this regulation can be burdensome.
Security needs to be a balance between growing the business and protecting it. Will these Cybersecurity Requirements knock the balance out for some companies?
NY is not unjustified in doing this, the playing field has changed. Cyber criminals are different these days.
“The threat is incredibly serious—and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated.[2]”
It is no longer just the lone hacktivist, but now it is nation states, organized crime, hactivist groups & even competitors. Believe it or not, even internal employees can pose a threat to security. Sometimes “good” employees turn “bad” and other times internal employees inadvertently and accidently leak sensitive data. This is driving the need for improved security and ultimately, small to midsized companies need to protect themselves.
Background
The NY Regulation is the result of three years of work by the DFS. It started with the DFS surveying 154 Banks and 43 Insurance companies in 2013 and 2014. Their findings were published in two separate reports dealing with the Banking and Insurance sectors in May of 2014, and February of 2015
Several broad conclusions and concerns have emerged from these assessments and the dozens of discussions that the DFS has had with its regulated entities, cyber security experts, and other stakeholders. First, the DFS recognized that although financial institutions have taken significant steps to improve cyber security measures in recent years, financial institutions will continue to be challenged by the speed in which vulnerabilities can be exploited and the ever increasing sophistication of threats. Third-party service providers often have access to sensitive data and/ or to a financial institution's information technology systems, providing another entry point for hackers. A company may have the most sophisticated cyber security protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective. Therefore, cyber security programs must remain dynamic to keep pace with this fast-changing landscape.
Conclusion
The NY law is the first proposed law; however, it will not be the last. Other states will follow, as well as other governing bodies. Cyber security has become an increasing enterprise threat to the continuation of many businesses and needs to be managed. Assuming “it will not happen to me” is no longer realistic.
