New Rules for Financial Firms in New York Put New Onus on Boards

Nicholas J Price
6 min read

New York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York State enacted new cybersecurity regulations this year, outlining new standards that are sure to resonate beyond the financial businesses — such as banks, insurance companies and other financial services firms — that the law targets.

How Far Does Regulation Go?

Companies regulated by the state’s Department of Financial Services (DFS) will now be required to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” said Maria T. Vullo, the state’s DFS superintendent.

“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyberattacks,” she added.

Of course, neither financial services nor economic stability exist in a vacuum — and unlike regulations being rolled out by the European Union (EU) in 2018, which have been widely reported and outlined in a report by consulting firm Deloitte, New York’s rules stop a little shorter. New York’s law, according to the public affairs office of the DFS, includes any financial company that requires a license to do business in New York — including, say, a firm headquartered in California that also operates a New York office, or a mortgage lender based in New Jersey that underwrites loans for New Yorkers. But it only applies to those that DFS oversees — in other words, only financial services organizations must comply with the regulation.

The new EU law, called the General Data Protection Regulation (GDPR), applies to any businesses (in any industry, including healthcare, communications platforms or retail services) that wants to work within EU states. New York’s rules, DFS notes, don’t extend to nonfinancial companies, or every business that has customers in the state.

Unaffected companies include anyone outside of New York, as well as New York companies with fewer than 1,000 customers, less than $5 million in gross annual revenue or less than $10 million in total year-end assets over the past three years, Rippleshot‘s blog reports.

Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members

The idea that board members should make cybersecurity a priority has risen over the years, since the Target data breach in 2013 that resulted in members of the board of directors being sued. But, as writer Melissa Stevens asked on Bitsight’s blog last year, to what degree should boards be involved?

This new regulation answers that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders in the board will start taking an active role in security oversight — and that pinning blame squarely with the CEO, as a survey in SC Magazine reports boards tend to do, won’t cut it anymore.

Boards will take the lead in fulfilling requirements that every firm hires a chief information security officer, or CISO, to oversee the new policies and ensure that they’re working effectively. The CISO would answer to the board, the DFS says, and according to the regulation, they can be employed by an affiliate or third-party provider instead of being hired by the company itself.

It’s not uncommon for companies to already have much of the new regulation’s guidelines in their process, but it’s good to tie it to risk assessments. Tim Erlin, director of security and an IT risk strategist for Tripwire, tells Information Age, “The [N.Y.] regulation addresses the challenge of keeping up with the changing threat landscape by tying the details to a prescribed risk assessment,” he says, calling it “a smart move. It forces organizations to go beyond just buying the obvious tools, to actually understand the threats they face.”

Lastly, the board would use that risk assessment to guide moves made on cybersecurity plans, and hear from the CISO at the minimum biannually, as McGuireWoods LLP notes, about:

  • The integrity of the information systems
  • Any exceptions to agreed-upon policies and procedures
  • What risks the CISO has identified
  • An audit of sorts of the effectiveness of their plan
  • Steps to deal with inadequacies
  • A summary of all cybersecurity events (which must now be logged)

What Comes Next

Affected companies have 180 days to reach compliance with the new regulation, according to the state.

Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry — but the real blowout will happen when the EU enacts the GDPR next year.

New Regs Coming From Across the Pond

The GDPR, which will have been six years in the making, goes into effect on May 25, 2018, and unlike the New York rule, will extend to any company doing business in the EU, Deloitte notes, even if based elsewhere. It demands much stricter compliance by many more international players, as it affects the 28 member states of the EU, and according to an article in Computer Weekly, lawyers say the reach of the laws is basically limitless — extending to every business with any EU interests. Individuals rights and privacy play a large role in GDPR, and are protected in the new act. Noncompliance, according to the original text of the GDPR, can result in fines of up to 20 million euros or US$21 million — or up to 4 percent of the company’s total worldwide annual turnover of the preceding year, “whichever is higher,” the text says.

While New York borrows some of these guidelines — such as a firm being required to report a breach to regulators within 72 hours, and the mandated hiring of a data protection officer or DPO — the state’s regulation is more like training wheels for the massive ripple effect the 2018 legislation will have.

In the EU, not only financial services are impacted: any industry, from retail services to healthcare, will have to comply with the security precautions outlined.

“The GDPR will apply to any business that operates within the EU, but also any company that processes data from EU citizens,” notes Network World. The law will also supersede any present laws across the 28 EU states, and puts a premium on privacy.

New York’s regulations may not be as hefty as the EU’s — but with a department that supervises and regulates more than 1,500 insurance companies and 1,600 banking or other financial institutions, which represent $4.3 trillion and $3.1 trillion in assets, respectively, according to a 2016 annual report, the state has a formidable stable of companies that will be impacted by the rules.

When the GDPR does roll out, New York’s early moves will have set the precedent and helped nudge U.S. companies along the path to compliance by giving them a head start.