The New York State Department of Financial Services proposes cybersecurity regulations for financial institutions.
In the days of Bonnie and Clyde, bank robbers used masks to conceal their identities while robbing the local bank. Today, with the advent of cyber attacks, the mask is a computer screen, and the attacks pose systemic risks to major financial institutions.
Cyber attacks infect businesses, industries, and financial institutions by directly targeting internal networks through tactics such as phishing emails, utilizing computer vulnerabilities, and exploiting faulty system configurations. The attacks give cybercriminals access to private information, bank records, and confidential industry documents without leaving a trace of the attack. Even governments are not immune from attack. As recently as this past July, the Russian Security Service claimed it found a “cyber-spying virus” in the computer networks of about twenty organizations, including state organizations and several science and defense companies. This attack was announced shortly after cyber attacks of the Democratic Party were linked to Russian hackers.
However, in a recent effort to protect sensitive financial information, the New York State Department of Financial Services (DFS) has proposed a regulation to protect the state’s financial services institutions from the increasing risk of cyber attacks.
The proposed regulation would require that all institutions regulated by the DFS, including banking and insurance companies, establish an internal cybersecurity program designed to “ensure the confidentiality, integrity, and availability of the [institutions’] information systems.” Some of the program’s core functions would include identifying internal and external risks, using defensive protection strategies to implement new policies and procedures to protect sensitive information, and fulfilling new regulatory reporting obligations.
Additionally, under the program, institutions would be responsible for initiating annual “penetration tests” of the security programs and conducting quarterly “vulnerability assessments.” Institutions would also be obligated to report the results of these findings and assessments. To limit risk exposure, the regulation would require formal policies and procedures for the “timely destruction” of any nonpublic information, and additional encryption of all nonpublic information.
The proposed regulation only applies to the financial sector, but it might also pave the way for more general regulations on cybersecurity measures in other sectors. A number of recent security breaches, including the Ashley Madison leak and the eBay cyber attack, highlight the widespread risk of cyber attacks.
Some supporters of increased cybersecurity efforts, however, recognize that the costs of complying with these types of regulations is a tall order for many entrepreneurial start-ups, small businesses, and mid-size organizations. In a recently published paper, David Groshoff, an Associate Professor of Law and the Business Law Center Director at the American Jewish University, argues that many cyber protection solutions—especially those at the federal level—are too expensive for smaller businesses that are concerned primarily with capital raises.
While New York has recently become a “startup hub” for emerging companies like Buzzfeed, Blue Apron, and Warby Parker, Groshoff notes that as larger companies take steps to mitigate cyber attack risks, smaller business and startups become easier targets for cyber criminals. Small companies, according to Groshoff, “face unique challenges” with meeting regulations to protect their firms from cyber terrorists. Unlike established businesses and banks, smaller institutions are focused on “growing the business” and attracting new financial investors to expand the business operations and gain public attention, as opposed to taking on “unknown costs associated with cyber security risk management,” especially from regulations on the federal level.
State regulatory requirements, however, could be the kind of “affordable and meaningful cyber insurance” that smaller institutions are capable of fulfilling, says Groshoff.
New York’s proposal, for example, would give institutions the flexibility to create their own regulatory programs to prevent security breaches, in hopes that enforcement of the rule would not “limit industry innovation and instead [would] encourage firms to keep pace with technological advances.” To that end, the covered organizations are required to choose their own staff to oversee and enforce cyber protection efforts, designate personalized procedures and policies for information accessibility, and tailor steps to remediate any inadequacies.
The proposed regulation came just a few months after New York State’s annual Cyber Security Conference, which focused on the possibility of new standards to help organizations improve security, assure compliance with protection policies, and create resiliency against these threats.
The proposed regulation is subject to a 45-day notice and comment period before its final issuance.