They have been hailed as a world first.
New cybersecurity regulations which have just come into effect in New York will provide for specific and prescriptive requirements for the financial services industry. The regulations (New 23 NYCRR 500) may well be an indicator of things to come in Australia, where an increased focus is already being placed on cyber and data security, with laws regarding mandatory data breach notification having just come into effect.
The New York regulations were initially released in draft in September 2016. While many aspects were consistent with existing cybersecurity principles, the regulations were seen to go above and beyond the status quo. Notably, the proposed regulations dealt with ‘nonpublic information’ which was defined very broadly, meaning that entities falling within the regulations (known as ‘Covered Entities’) were burdened with protecting a wide scope of information. Covered Entities under the regulations include for example, financial service providers, investment companies, brokers and insurers.
Following a consultation period, changes were made to the initial draft. These included a loosening of some of the more onerous requirements. The meaning of ‘nonpublic information’ was narrowed and ‘risk assessments’ were provided for, which would inform the implementation of measures on an entity-by-entity basis (rather than a one-size fits all arrangement). The final form of the regulations came into effect on 1 March 2017 with a 180-day transitional period. However there are some exemptions for smaller-sized companies, such as those with less than 10 employees or those with gross annual revenue or year-end total assets below certain amounts.
Noteworthy aspects of the final regulations include requiring Covered Entities to implement a cybersecurity program and cybersecurity policy which would be based on the risk assessments that must be carried out periodically. Covered Entities also need to appoint a Chief Information Security Officer responsible for overseeing the cybersecurity program and policy. Qualified cybersecurity personnel are now required to perform certain core cybersecurity functions.
Significantly, Covered Entities are required to provide a signed annual certification of compliance from February 2018. Although not spelled out under the regulations, the effect of this requirement is that it could potentially lead to individual liability for the person(s) submitting the certification (being a ‘Senior Officer’ or the board of directors for example) if a false statement is contained in the certificate.
It appears that US regulators are developing a model cybersecurity law, and as such it seems likely that the New York regulations are a sign of things to come on the US front.
Back in Australia and further to the introduction of to the mandatory data breach notification legislation, we are also shortly anticipating some cyber initiatives such as an upcoming release by the ASX of the results of its ‘ASX 100 Cyber Health Check’. We expect this will provide some insight into how some of the largest organisations in Australia manage their cybersecurity risks and cybersecurity incidents.
In addition, Australian Signals Directorate, the national agency responsible for the provision of cyber security advice, recently published their updated Strategies to Mitigate Cyber Security Incidents. This provides some key advice as to how organisations can prepare for cybersecurity incidents and notes eight essential mitigation strategies including:
application whitelisting, whereby only selected software applications are to run;
patch applications, to fix security vulnerabilities in software applications;
configuring Microsoft Office macro settings to disable untrusted macros;
restricting administrative privileges;
patching operating systems;
multi-factor authentication; and
daily backup of important data, and securing it offline.
It’s clear that a growing focus is being placed on cybersecurity and protecting information from cyber security threats. With an ever increasing amount of cyber-attacks and data breach incidents, it is now more important than ever that organisations put systems in place to mitigate the risks, thereby placing them in good stead to prepare for any future increased levels of regulation.