Starting Monday, banking and insurance companies will have to comply with groundbreaking regulations established by the state Department of Financial Services aimed at deterring cyberattacks, and begin reporting any such attacks to the department.
“Monday [Aug. 28] marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyberattacks,” said DFS Superintendent Maria Vullo in a statement. The new rules, billed as first in the nation, set minimum standards for cybersecurity based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems from hacking and data breaches, she said.
The rules established in March (NYLJ March 2), which were tweaked after public comment from industry officials, require banks and insurance companies regulated by the Department of Financial Services to have state-approved plans to deter cyberattacks and report any attacks within 72 hours of when they occur. But there’s still debate as to whether the regulations are too restrictive.
The state law is expected to have national and global impact because it affects financial services companies that do business in the state regardless of where they are located via regulatory, rather than legislative action as well as the law firms that represent them (NYLJ Aug. 25).
Mark Krotoski, a partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said many of the requirements established by the department are already in place at banking and insurance companies, such as having a chief information security officer and incident response plans.
“Cybersecurity, by definition is a tailored response to protect data from potential risks. There is no one size fits all, and how you tailor that does vary from each organization” he said in a phone interview. “By mandating a number of requirements that either are already being done, or that may take away resources or redirect cost to comply with regulations rather than tailoring cybersecurity programs to whatever the organization needs, this is more a proscriptive regulation when you compare it with other regulations that are in other states,” he said.
Krotoski also said that the 72-hour reporting requirement may not allow businesses to determine “a full picture” of the scope of the cyberattack. Oftentimes it may take weeks to assess what data was affected or what individuals were impacted by the attack, he added.
On the other hand, F. Paul Greene, a partner and chair of the privacy and data security practice group at Rochester business law firm Harter Secrest & Emery, told the New York Law Journal that organizations affected by the new regulations shouldn’t have to “recreate the wheel” because they’re likely doing what the regulations mandate already requires.
“Anecdotally, what we’ve seen in the industry is that although these regulations are a big move, organizations have looked at their current compliance practices and determined that they are in large measure compliant with the current requirements of DFS,” Greene said.
With the reporting requirement set to begin Monday, banking and insurance companies should do a risk assessment and prioritize their assets, said Steven Grossman, the vice president of strategy at Bay Dynamics, a cybersecurity company that recently relocated from San Francisco to New York.
“Management is really the key first step. If you don’t know what your assets are you really don’t know what you’re protecting. From there, once you know what your assets are it’s understanding the key aspects of risk—that is the threat and vulnerability and the probability of the two of them meeting to impact the system,” Grossman said.
As part of the regulations, companies will also be required to re-evaluate and upgrade their security systems annually and require that boards of insurance companies or banks certify that they are in compliance with the security requirements by Feb. 15, a much more daunting deadline.