New York’s Cybersecurity Regulation: The Tip of The Iceberg

Like a junkie who can’t turn away from a nickel bag, Financial Services and Insurance companies operating in the state of New York can no longer remain in Cybersecurity denial. The state’s version of the DEA (Denial Enforcement Agency) has put its foot down.

Effective March 1st, 2017, the New York State Cyber Security Regulations affecting every financial services and insurance company operating in the state, went into effect. The regulation consists of 17 line items that are intended to assure customers of banks and insurance companies that their personal identifiable and sensitive financial information is being protected according to the best Cybersecurity practices.

If these companies cannot do it themselves which they have ably demonstrated, the State will step in and do it for them. And boy did they ever!

Any company headquartered in another state that provides services or coverage to residents of New York state (like Life Insurance policies) or who conducts business through offices located in the state or who works through employees (including contractors, agents, brokers, etc.) is subject to the law.

Examples of covered entities include:

§ State-chartered banks

§ Licensed lenders

§ Private bankers

§ Foreign banks licensed to operate in New York

§ Mortgage companies

§ Insurance companies

§ Service providers

The exceptions are companies who have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for the business of the Covered Entity, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates or have less than $10 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.

Companies or “Small Covered Entities” who believe they are entitled to an exemption must file the request within 30 days of the determination.

Even if an exemption is granted, these small covered entities must comply with 10 of the 17 line items.

These items include a) verifying and certifying that the entity has a compliant cybersecurity program in place and verifying that all documentation and reporting is in place and audit-ready, b) assuring that the covered entity’s Cybersecurity policies and procedures are appropriate to the regulation requirements and are in place and audit-ready, c) conducting an overall risk assessment in accordance with the essential elements for Risk assessments as identified by Financial Services regulations and putting a process in place so that risk assessment will be conducted periodically throughout each year, d) developing a system-wide penetration testing plan in accord with the outcome of the risk assessment and providing comprehensive and cost effective options for periodic or continual penetration and vulnerability testing in accord with the requirements, to name just 4 of the 10.

In addition, each year beginning in February of 2018, the Chairperson or designated Company Officer must under penalty, personally sign off on an assurance that s/he has reviewed and found the company to be in compliance with each and every line time that applies to the covered entity for the prior year (e.g., 2017).

One other line item to which even exempted entities must comply relates to third parties.

All companies doing business in New York State must review the security programs of their third party service providers to make sure that they are in compliance with the regulations. This will include the review of attestations and/or compliance reports to security standards and the existence of certified frameworks, a review of the contractual language and obligations around their compliance programs and a review of the required and provided audits of their Cybersecurity programs to assure that their third party service providers are in compliance with these as well.

The one major line item that exempted covered entities may avoid is the requirement to designate and/or employ a certified Chief Information Security Officer. The average annual compensation for this role in the U.S. in 2016 was over $350,000. Covered entities that are not exempted however, must assign that role to a certified individual employed by the company or to a certified professional provided by a third party service provider.

That role involves the management of the company’s Cybersecurity program to assure that they are in and continue to remain in compliance with Cybersecurity industry best practices, systems, policies and procedures, specifically in compliance with all state statutes regulating the minimum requirements for cybersecurity programs, and any other appropriate regulatory requirements for cybersecurity that affect the company’s ability to provide its services throughout the state.

These Regulations highlight the ongoing shift in public policy towards a more careful and regulated approach with respect to data privacy and serve as a timely reminder of the importance of continually assessing and managing risk in an environment of escalating cybersecurity threats.

In other words, if you can’t police yourself, the government will step in and police you for you.

In this context, it is important to bear in mind that other legislative measures addressing cyber risks are expected to be adopted at both the state and federal level, including the proposal from the Board of Governors of the Federal Reserve Systems, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation for rules regarding enhanced cyber risk management standards for certain entities under such agencies’ supervision (mainly large financial institutions).

For entities subject to both the Regulations and such other legislative measures, compliance with the various requirements and standards may become complicated and costly so it is hoped that these other measures will be largely consistent with the Regulations, but they may not. In any event, it is probably prudent to begin putting the processes, programs and controls in place now so that your company is in full compliance when the current regulations become effective on the expiration of the transition period of 180 days, or September 1st, 2017.

And, if you think this is only happening in New York, think again. California is next. They have never met a regulation they didn’t love.

It’s only the beginning.

The post New York’s Cybersecurity Regulation: The Tip of The Iceberg appeared first on Netswitch Technology Management.

This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management