The New York State Department of Financial Services’ (NYDFS) cybersecurity regulations went into effect March 1, 2017, and the first of the staggered implementation deadlines is quickly approaching on August 28, 2017. Touted by the NYDFS as the “first in the nation” comprehensive cybersecurity regulation, the new rules pose significant compliance challenges for those covered entities that are subject to the regulation. The covered entities include any business operating under New York’s banking, insurance, or financial services laws. Covered entities should expect compliance with these regulations to elevate the importance of cybersecurity within their businesses, both for activities within and outside of New York. Even financial institutions that do not operate in New York should pay close attention, as the NYDFS’s regulations are likely to serve as a model for other states aiming to ensure increased cybersecurity for consumers.
An overarching theme in the new regulations is the NYDFS’s intent to make cybersecurity a priority for a covered entity’s senior management. The regulations assume that senior management will be intimately involved with the company’s cybersecurity protocols. For example, the regulations require a senior officer or the board of directors to approve written cybersecurity policies and procedures and to certify annually to the NYDFS that the organization is in compliance with the department’s regulations. A senior officer qualified to make these decisions must be a “senior individual” at the company who is “responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity.” Each covered entity is also required to appoint a Chief Information Security Officer (CISO) who must report directly to the entity’s board of directors regarding its cybersecurity program and any material cybersecurity risks. Based on these provisions, covered entities should expect the NYDFS to seek to hold senior management responsible for cybersecurity failures.
As a direct result of the increased emphasis on management responsibility for cybersecurity, the CISO is likely to become a more important figure within covered entities. The regulations require each covered entity to appoint a CISO who not only has authority to oversee and implement the business’s cybersecurity program but also the authority to enforce the company’s cybersecurity policies. Practically speaking, these requirements will likely lead to a significant change in the way CISOs are viewed within an organization. Given the emphasis the regulations place on holding upper management responsible for a business’s cybersecurity program, it is imperative that the CISO is a person the business trusts to make discretionary decisions about cybersecurity policy and to be thorough and straightforward in reporting cybersecurity issues to upper management. It is also important that the business provide the CISO with the funding necessary for cybersecurity policies to be effectively implemented and enforced. Simply having a cybersecurity policy in place will not be enough to satisfy the regulations.
In designing a strategy for implementing the changes that the new regulations necessitate, covered entities should keep in mind that the NYDFS’s intent is not only to protect the business’s information systems but “to promote the protection of customer information.” The NYDFS expects a compliant cybersecurity program to protect not only the business itself but also the customers of a covered entity. Therefore, when completing risk assessments of its cybersecurity programs and designing policies and procedures, businesses must consider the risks that its policies and operating procedures pose to consumers. It is easy to see how regulatory authorities outside of New York may extend this focus on protecting consumers to hold entities responsible for cybersecurity failures when their policies and risk assessments do not include an express focus on consumer protection.
In sum, expect the new regulations to lead to:
- Increased scrutiny into senior management’s involvement with your organization’s cybersecurity program;
- Elevation of the CISO to a more senior and central role in your organization; and
- Increased scrutiny from other regulating authorities into whether your organization’s cybersecurity plan and risk management assessments consider risks to the consumer.
The NYDFS’s new regulations will necessitate broad changes for covered entities that reach well beyond a business’s New York operations. Though the regulations do not identify specific penalties for noncompliance, covered entities should expect the NYDFS to approach enforcement with the same gusto it has displayed in enforcing similar regulations.