New York’s Bold Move to Improve Cybersecurity

Could It Have A Bigger Impact Than More Famous Legal Siblings?

The California Consumer Privacy Protection Act and the GDPR went into effect earlier this year, and New York state is following suit; last week marked the compliance deadline for the NY DFS cybersecurity regulations. Compared to the broad provisions of the GDPR and CPPA, the New York regulation makes clear that efforts to improve cybersecurity are not an option. James Lee, Executive Vice President of Waratek, discusses.

When the history of summer 2018 is written, the chapter on data protection and privacy will be dominated by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CaCPA – aka California GDPR).  Both represent a seismic shift in how the business community manages and protects consumer information, and both – if you read the fine print – will ultimately force more action on cybersecurity.

Less attention has been paid to the September 4, 2018 compliance deadline for New York’s Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). Yet, in practical terms, the New York regulations have a far more immediate impact on businesses and greater potential to improve cybersecurity outcomes that will ultimately benefit consumers.

Privacy by Design: Protection by Default

Both the GDPR and CaCPA reference a duty to maintain security practices and procedures equal to the risk of harm to consumers. The GDPR makes it clear that security is a foundational element of data protection and requires that it be part of product and service design and execution. Likewise, the CaCPA requires organizations to have data security programs in place to protect consumer data. In both cases, having robust cybersecurity programs can be taken into consideration in enforcement actions.

The GDPR includes powerful financial incentives for ensuring your cybersecurity programs are robust and effective: fines of up to €20 million or 4 percent of annual global revenue. At the core, though, the GDPR and CaCPA are not cybersecurity laws. They are data-centric consumer protection laws that focus more on giving consumers access and control over data rather than mandating specific data protections.

The end result of both the EU and California approaches is a lot of guesswork on what meets the standard for cybersecurity protections.

New York’s Different Approach

Similar to the EU transitional approach to implementing the GDPR, 23 NYCRR 500 has been in effect since March 2017, but includes multiple deadlines. In fact, the regulations will not be fully enforceable until March 2019, when ensuring the security of third-party vendors will be required.

Other similarities include requirements for written plans, annual assessments and the appointment of an executive to oversee the programs required by the rules. In the case of the New York regulations, the appointment of a Chief Information Security Officer is required. But those broad requirements are generally where the similarities end between the GDPR/CaCPA and 23 NYCRR 500.

The New York regulations are specifically directed at protecting businesses regulated by the New York State Department of Financial Services and their customers from the impacts of cyberattacks. The provision effective in September 2018 is a good example of providing guidance and focus on an otherwise underrepresented, but highly vulnerable to attack, area of any organization: application security.

Section 500.08 Application Security.

(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

(b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

There’s a lot of punch packed into those 83 words. Terms like “shall” make AppSec mandatory while “in-house developed” and “externally developed” ensure all applications used in a regulated company meet defined standards.  Additionally, “periodically reviewed” means the actions cannot be a “one and done” practice.

A Broad View with a Laser Focus

In adopting 23 NYCRR 500, New York officials took a comprehensive view of cybersecurity, ensuring each area of concern received the focus it required.

Network protections, for example, have historically received the lion’s share of cybersecurity funding and staffing, yet known code vulnerabilities in applications are the primary target for successful attacks. Pick just about any of the high-profile data breaches over the past decade and chances are that a known flaw in an app was at the core of the attack – often a known, but unpatched software bug.

That is one of the reasons why the New York State Department of Financial Services includes a specific application security provision, one of 15 different areas of focus, including requirements for penetration testing and vulnerability assessments, audit trails, limits on data retention, training and monitoring and encryption of non-public data.

Businesses subject to the regulations only have 72 hours to report to the Commission of Financial Services any “cybersecurity event” that has “a reasonable likelihood of materially harming any material part of the normal operation(s)” of the business. While this is the most aggressive breach notice provision in the U.S., it stops short of requiring a public notice of the event within the same timeframe. In the EU, a similar GDPR requirement is driving a surge in breach notifications, according to the United Kingdom’s Information Commissioner’s Office.

Drawing Attention Outside New York

It’s highly unlikely you would be reading this article if advocates and public officials across the U.S. were not asking the obvious question: Should New York’s cybersecurity rules be a model for the rest of the country? The passage of the CaCPA in June 2018 is proof that other states are looking to address the unrelenting threat from cyber criminals in a more comprehensive way. Federal regulators are also discussing the need for more cybersecurity accountability.

The Federal Reserve Board’s vice chairman for supervision, Randal Quarles, noted in February that more action is required: “While we know that successful cyberattacks are often connected to poor basic information technology hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber events.”

What Path to Follow?

There is a delicate balance to be struck here. Regulations that are too prescriptive run the risk of preventing companies from being able to address the ever-changing attack vectors used by malicious hackers. Overly broad rules can fail to provide the guidance required to ensure the outcomes sought by the regulations – and a high level of compliance – is achieved.

It won’t take long to determine into which category 23 NYCRR 500 falls.