Now that the first real cybersecurity law in US history is on the books, can we expect to see more of the same?
New York’s cybersecurity law for the financial services industry, 23 NYCRR 500, took effect on March 1, 2017. The law is making headlines not because it creates a heavy new burden for compliance, but because it takes a broader view of information security than any previous state or federal law. As a highly visible attempt to set priorities and minimum standards, the New York regulations have the potential to influence the long-term direction of cybersecurity legislation in the United States.
What’s in The Law
The New York law applies only to organizations licensed by the New York State Department of Financial Services (DFS), such as banks, investment firms, insurance companies, and mortgage brokers. These organizations must begin to comply with some of the law’s provisions within 180 days of March 1, 2017, and must phase in compliance with other provisions over the following year and a half.
The law requires a wide range of activities for organizations and their management teams, but doesn’t mandate specific technologies or set exact technical requirements. In its own words, the law avoids an overly prescriptive approach “so that cybersecurity programs can match the relevant risks and keep pace with technological advance.” However, the law covers most of the generally-accepted aspects of enterprise cybersecurity.
Among other activities, covered entities will be required to do all of the following:
- Create formal documentation of their cybersecurity programs and policies
- Appoint CISOs to oversee their security activities and ensure compliance with the law
- Conduct regular cyber risk assessments
- Incorporate security into their home-grown applications and into the development process
- Implement data protection methods including encryption
- Use strong controls to limit access to sensitive information and systems
- Notify the New York DFS in the event of a security breach
Why it Matters
New York’s regulations are not likely to create havoc in financial industry IT departments. Many firms have already implemented security strategies that meet or exceed the law’s key requirements. Even where they will require new action, the rules give organizations a fair amount of freedom in determining what steps are needed in order to protect their systems and data.
The real significance of 23 NYCRR 500 lies in the fact that it sets a precedent for similar laws at the state and federal level. While several states have laws pertaining to data breaches, and a few federal regulations (such as HIPAA) call for data protection in certain circumstances, our existing cybersecurity laws are narrowly focused and somewhat haphazard. 23 NYCRR 500 is the first law to take on the topic of cybersecurity as a whole, and can be viewed as the first attempt at a legal definition of cybersecurity best practices.
Given New York’s central position in the global economy, the law applies to most of the world’s major financial institutions, whether they are based in the US or overseas. When other states (or federal regulators) begin to consider cybersecurity laws for financial services organizations under their oversight, they are likely to use 23 NYCRR 500 as a reference point. Banks and other firms that had a voice in drafting the New York law can be expected to lobby for consistent rules in other jurisdictions.
The same pattern may also hold true for cybersecurity laws that apply beyond the financial sector. Several state legislatures proposed laws in 2016 calling for the creation of cybersecurity standards, and these efforts should gain momentum in 2017 as citizens and lawmakers grow more concerned about cyber attacks from criminals and hostile nations.
What to Do Next
If your organization is subject to 23 NYCRR 500, you have until late August 2017 to meet the first set of compliance obligations, including mandates for access controls, documented programs and policies, and cybersecurity training. A comprehensive risk assessment is a good place to start, even though the law doesn’t require formal risk assessments until March 2018. Covered entities should also start exploring their options for implementing technology like multi-factor authentication and encryption, if they aren’t using them today.
Financial services firms that don’t operate in New York, even though they aren’t obligated to comply with 23 NYCRR 500, would be wise to conduct internal reviews and identify gaps between the law’s requirements and their current cybersecurity practices. Addressing those gaps now can help companies improve their security and competitive standing, and may also leave them more prepared to comply with new cybersecurity laws in their own states.
Even organizations outside the financial sector should take note of the law and its requirements. While not every future cybersecurity law will follow the example of 23 NYCRR 500, the same basic concepts are likely to appear in laws aimed at many different industries in the coming years. Familiarity with these guidelines (and the recommendations found in the NIST Cybersecurity Framework) will be essential for maintaining regulatory compliance, and more importantly, maintaining long-term information security.
PKWARE can help organizations meet many of New York’s cybersecurity requirements. Find out how with a free demo.