There are new cybersecurity regulations coming early next year for financial services companies in New York State, and they're the cause of some stirring among those charged with data protection and privacy.
The Cybersecurity Requirements for Financial Services Companies, open for public comment for the next month, is the result of the New York State Department of Financial Services' close monitoring of the "ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors," the regulator says in its introduction of the regulation in the State Register. Given that the financial services industry is such an attractive target for cyber thieves, DFS, while recognizing many firms have made significant strides on cybersecurity for their own sakes, decided to up the baseline requirements for cybersecurity programs.
"The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State," DFS says. Elsewhere in the same document, the regulator says, "Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances."
But Allen Brandt, CPO at the Depository Trust & Clearing Corporation, FIP, CIPM, CIPP/E, CIPP/US, thinks the regulations are a heavier lift than DFS implies in its prologue to the regulation's provisions.
"What this is doing is adding a whole new layer of oversight that companies who are subject to New York State Department of Financial Services have to do both internally and to their third-party vendors," he said.
"What this is doing is adding a whole new layer of oversight that companies who are subject to New York State Department of Financial Services have to do both internally and to their third-party vendors." —Allen Brandt, Depository Trust & Clearing Corporation
And it's the provisions on third-party vendors that really have Brandt concerned. Section 500.11 of the regulation is on "third party information security policy," and mandates that each "covered entity" implement procedures aimed at protecting data accessed by associated third-party vendors. It requires vendors to meet "minimum cybersecurity practices," and requires periodic assessment, at least once a year, of third-party vendors' cybersecurity practices. It also requires the use of multi-factor authentication, for data be to encrypted "in transit and at rest," and a promise from third-party vendors that its service or product is free of "viruses, trap doors, time bombs and other mechanisms" that could put the covered entity at risk. Finally, it requires the vendor to allow the covered entity to perform audits.
"That may be a deal breaker," Brandt said. "Someone comes to your company and says, 'I want to audit your network,' the answer is, 'No. You're not going to be probing our network. That's not going to happen.'"
But even besides that, he said, the NY financial institutions that are going to be subject to this regulation are generally going to be big companies with hundreds, if not thousands, or vendors that either have the personal information or touch it.
"I think people are still going, 'I don't see how, with even an unlimited budget, I can do this in six months,'" he said. "And really the number of vendors is the biggest challenge."
Brandt said he thinks there are some vendors that might just decide they can't comply with those provisions and may just sever the relationship.
"So in the six-month period, we have to ID those vendors and find new ones and bring them on board," he said.
Boris Segalis of Norton Rose Fulbright agrees that the audit rights are likely to be an issue and difficult to deal with, but largely due to being vague.
"The proposed regulation doesn't set out the circumstance in which such audit rights would be available," he said. "First, if a financial institution is retaining a fin tech company or a technology company, the vendor may view broad audit rights as a cyber risk in itself. They don't want to show companies what's inside the box, right? Instead, typically, vendors will make an audit report available to a client and make its employees available to discuss. If the vendor suffers a breach, however, then the customer is more likely to get audit rights. And that seems to be acceptable under the proposal."
He also thinks the provision on annual reviews is going to be a tough one, partly because of a new definition included in the regulation: non-public information, defined as "all electronic information that is not publicly available information," and then there are a bunch of caveats tacked on. The issue? The data classified as needing protection is much broader than any regulations to date, including that the definition of personal information within the provision extends to an "individual, partnership, corporation or any other entity."
Brandt takes issue with this as well.
"Companies are people now, too," he said.
Segalis said the inclusion of NPI as a new term is in fact the kicker in this whole thing and what might make things difficult, especially for those annual reviews required on covered entities' third-parties now.
"To me, the extension of requirements to non-personal data is the kicker here. That's what make it difficult. If you take this out, how bad is it? Is it worse than the [Massachussetts] regs? Not worse than that." — Boris Segalis of Norton Rose Fulbright
"If a company has 100 vendors that have access to what is defined as NPI, imagine the work required to do annual reviews," he said. "There are ways, however, to automate the process, and some companies are doing it by sending out annual questionnaires to their vendors," though he admits that hasn't been universally adopted.
One financial services company interviewed for this story, whose privacy lead could not secure permission to be quoted, said NPI as defined by the regulation is in fact concerning because it isn't completely clear what's covered. "While the regulation calls for encryption of non-public information, the definition of non-public information is very, very broad," the source said, and would require encrypting data that isn't particularly sensitive. And that means chasing after things that aren't important versus spending energy and time protecting the data that is actually significant.
Segalis said, "To me, the extension of requirements to non-personal data is the kicker here. That's what make it difficult. If you take this out, how bad is it? Is it worse than the [Massachussetts] regs? Not worse than that."
He said otherwise, though, that while the requirements are very prescriptive, they don't shock him. He's been hearing, especially, industry buzz over the fact that the regulations call for the designation of a "qualified individual" to serve as the covered entity's chief information security officer (CISO), who'll be responsible for reporting on the cybersecurity program, among other responsibilities. But Segalis said the companies complying with Gramm-Leach-Bliley already have these kinds of mechanisms built in, and even if a company didn't technically have CISO, it's entirely possible to simply name someone at the company already performing that function.
In general, Brandt and Segalis agree that this new, prescriptive regulation is the way things are headed in New York and elsewhere.
"This is happening across the financial industry," Brandt said. "In the last two or three years, there's been a rapid increase in reporting requirements, in compliance and systems reporting," he said, adding the back-end costs for financial services providers are steeply climbing, all while interest rates are down, meaning layoffs and branch closures.
"It's part of a pattern," Segalis said of the regulation, citing the Department of Defense's recent finalizing of cyber-incident reporting requirements. "We're going to see a lot more of that. It's not unique."
For now, financial institutions in New York are waiting to see what the final regulation will look like, while DFS accepts public comments until November 14. It's unknown whether some of industry's concerns, including those outlined above, will have an impact on January's implementation.
If you want to comment on this post, you need to login.