Major new state regulations governing cybersecurity at banks and insurance companies took effect in New York state Monday.
The New York State Department of Financial Services developed the regulations in an effort to deter cyberattacks, and to require the companies the department regulates to begin reporting cyberattacks to the department.
“Monday marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyberattacks,” Maria Vullo, New York’s insurance superintendent, in a said statement.
The new rules set minimum standards for cybersecurity based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems from hacking and data breaches.
The new rules, which were completed in March, require state-regulated banks and insurance companies to:
Develop state-approved plans to deter cyberattacks.
Report any attacks within 72 hours of when the attacks occur.
Re-evaluate and upgrade company security systems annually.
Have their boards certify that the companies are in compliance with the security requirements by Feb. 15.
Legal observers note that the state is setting the requirements through a regulatory process, rather than through legislative action.
Mark Krotoski, a partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said many of the requirements established by the department, such as requirements that an affected company have a chief information security officer and an incident response plan, are already in place at banking and insurance companies.
“Cybersecurity, by definition is a tailored response to protect data from potential risks,” he said in a phone interview. “There is no one size fits all, and how you tailor that does vary from each organization. By mandating a number of requirements that either are already being done, or that may take away resources or redirect cost to comply with regulations rather than tailoring cybersecurity programs to whatever the organization needs, this is more a proscriptive regulation when you compare it with other regulations that are in other states.”
Krotoski said that the 72-hour reporting requirement may not allow businesses to determine “a full picture” of the scope of the cyberattack. Oftentimes it may take weeks to assess what data was affected or what individuals were impacted by the attack, he added.
But F. Paul Greene, a partner and chair of the privacy and data security practice group at Rochester, New York-based law firm Harter Secrest & Emery, said organizations affected by the new regulations shouldn’t have to “recreate the wheel,” because they’re likely already doing what the new regulations require.
“Anecdotally, what we’ve seen in the industry is that although these regulations are a big move, organizations have looked at their current compliance practices and determined that they are in large measure compliant with the current requirements of DFS,” Greene said.
With the reporting requirement set to begin Monday, banking and insurance companies should do a risk assessment and prioritize their assets, said Steven Grossman, the vice president of strategy at Bay Dynamics, a New York-based cybersecurity company.
“Management is really the key first step,” Grossman said. :If you don’t know what your assets are you really don’t know what you’re protecting. From there, once you know what your assets are, it’s [about] understanding the key aspects of risk—that is the threat and vulnerability and the probability of the two of them meeting to impact the system.”
— Read Indexed Universal Life Sales Rise 3.4%: Wink on ThinkAdvisor.