After infamous cyber-attacks on Target, Home Depot and Anthem, states became painfully aware that federal regulations are insufficient to protect consumers and institutions against cyber threats. The states are trying to fill in the gaps. On March 1st New York launched new cybersecurity regulations for banking and insurance sectors.[1] The goal is to protect consumers and institutions against data breaches, identity theft, and service disruption. New York is ahead of other states and the new regulation is believed to be the most comprehensive to date.[2] Other states are believed to soon follow suit, using New York regulations as a model. While new cybersecurity regulation is thoughtful and allows great flexibility, it might prove insufficient to win the race against rapid technological advances.
In 2013 hackers stole 40 millions credit and debit cards of shoppers who visited Target.[3] Target did not become aware of the attack, until the credit card processor noticed a spike in fraudulent activity on cards belonging to those who had recently shopped at Target. Just a year later, Home Depot announced that over 56 million debit and credit cards were stolen after hackers breached their security firewall.[4] In 2015, health insurer Anthem was attacked by hackers as well. The data breach was enormous – personal information of more than 78.8 million members and employees was stolen. Federal regulations proved insufficient to thwart cyber-attacks. Since March 1st of this year, New York requires companies providing banking or financial services to establish and maintain cyber security programs.[5] The state listened to the industry and delayed the implementation by one month to incorporate updates based on the comments received from the companies.[6] The new regulation is flexible in some ways, in that for instance, they allow for custom tailoring of programs based on the company’s individual risk assessment tests.[7]
While the regulation resembles federal standards, New York Department of Financial Services demands a higher level of accountability.[8] Companies must designate a chief information security officer (CISO), who will present reports to the board of directors. The report will inform the board about implemented information security programs and their effectiveness. The regulation allows the CISO to be employed by a third-party service provider, which allows for more flexibility and is financially sensible for smaller companies. In addition, banks and insurers must be vigilant of their vendors security programs and demand disclosure of any potential security threats or past breaches.[9] Many companies tried to do this before, but were stonewalled by their vendors, who were reluctant to share information. Now, the vendors are obligated by law to provide this information. These new legal requirements might push smaller vendors out of business, if they are not willing to outsource.[10] New York state DFS regulation is the first of its kind and the most comprehensive to date.[11] Some even go as far as comparing new regulation to the Sarbanes-Oxley Act in how comprehensive and thoughtful it is.[12] The new regulation focuses more on “protecting data on the front end as opposed to simply requiring companies to have adequate data breach response plans.[13]” However, there is always room for improvement.
The new cybersecurity regulations still follow the traditional security practice of periodic monitoring and adjusting the programs based on the identified risks.[14] This model will inevitably lose the race against rapid industry development. Annual risks assessments required by the regulations are not enough to ensure the threats identified stay relevant for the rest of the year, just as compliance programs developed based on these risk assessments will quickly become outdated.[15] Thus, companies might become vulnerable to cyber threats before their next annual risk assessment is due. Rapid technological advances call for quarterly risk assessments or even real-time daily monitoring, which will probably be too costly for smaller companies to accomplish. Moreover, the regulations call for regular testing of “information systems,” but not all systems.[16] Recent studies, however, indicate that “most firewall breaches [are]caused by misconfigurations, not firewall flaws.”[17] Regular scanning of information systems alone cannot reveal these flaws, thus making the entire firewall less resilient to cyber-attacks. In addition to these challenges, the new regulations will be hard to implement. Many smaller financial companies don’t have in-house experts[18] or the financial means to hire new staff members. This will likely promote outsourcing and consolidation among compliance departments of different companies.[19] Recent cyber-attacks also revealed that there is a growing need for cybersecurity education. NY DFS should consider providing basic information security training and education among small business owners who cannot afford to keep their own IT experts in-house. Finally, more regulations, however comprehensive they may be, are not always better. NY DFS is trying to level the playing field and impose base line regulations across the industry. However, this new regulation might slow down the institutions which already implement similar measures on their own. Large financial institutions might find themselves overwhelmed by all the paperwork and overlook cyber threats while trying to comply with all of the regulations. “No one wants the goal to be compliance for compliance’s sake.”[20]
Overall the New York DFS Cybersecurity Regulation has a good chance of being successful in the future. It is very important for state and federal frameworks to be in sync and create a united front against cyber terrorism. The regulation can be improved by requiring more frequent risk assessment tests, mandatory scanning of all systems instead of only “information systems,” and continuing cyber and information security education for small business owners. Balancing cyber-security and the increasing costs for the financial industry is challenging. Time will show if the NY regulation is up to the challenge.
[2] Luke Dembosky, Eric R. Dinallo, Debevoise Analyzes Revised New York Cybersecurity Regulation for the Financial Sector (Jan 17, 2017), http://clsbluesky.law.columbia.edu/2017/01/17/debevoise-analyzes-revised-new-york-cybersecurity-regulation-for-the-financial-sector/
[3] Jim Finkle, Dhanya Skariachan, Target Cyber Breach Hits 40 Million payment Cards at Holiday Peak (Dec 19, 2013, 6:38 PM), http://www.reuters.com/article/us-target-breach-idUSBRE9BH1GX20131219
[4] Id.
[5] Id.
[6] Jay Shapiro, Laura Schmidt, New York Revises Proposed Cybersecurity Regulations, Pushes Back Effective Date (Feb 10, 2017), https://www2.law.temple.edu/10q/new-york-revises-proposed-cybersecurity-regulations-pushes-back-effective-date/
[7] Michael Krimminger, New York Cybersecurity Regulations for Financial Institutions Enter Into Effect (March 25, 2017), https://corpgov.law.harvard.edu/2017/03/25/new-york-cybersecurity-regulations-for-financial-institutions-enter-into-effect/#more-80204
[8] Id.
[9] Jim Finkle, Karen Freifeld, New York Finalizes First-in-Nation Cyber Security Regulation (Feb 17, 2017), http://www.insurancejournal.com/news/east/2017/02/17/442262.htm
[10] Id.
[11] Luke Dembosky, Eric R. Dinallo, Debevoise Analyzes Revised New York Cybersecurity Regulation for the Financial Sector (Jan 17, 2017), http://clsbluesky.law.columbia.edu/2017/01/17/debevoise-analyzes-revised-new-york-cybersecurity-regulation-for-the-financial-sector/
[12] Id.
[13] Zack Needles, NY Cybersecurity Regs Could Spur Legal Work Nationwide, (Oct 10, 2016), http://www.law.com/sites/almstaff/2016/10/10/ny-cybersecurity-regs-could-spur-legal-work-nationwide/
[14] Mike Baukes, New York’s Cyber Security Regulations Aren’t perfect, but Other States Should Pay Attention to Them, (Feb 28, 2017, 6:30PM), https://www.recode.net/2017/2/28/14766044/new-york-cyber-security-regulations-model-governor-cuomo
[15] Id.
[16] Id.
[17] Id.
[18] Id.
[19] Larry Bianculli, New York State’s New Cybersecurity regulations and What it means to you, (http://www.ccsinet.com/ny-states-cybersecurity-regulation/
[20] Id.
