The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.
The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.
"New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.
Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.
Justin Kapahi, vice president of solutions and security at External IT, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.
“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”
Another difference is the hard and fast deadline, according to Tom Embrogno, the co-founder and global strategic advisor of Docupace, which now provides end-to-end cybersecurity for financial advisors.
“FINRA and SEC say they will audit and you must have things in place, but New York is drawing a line in the sand that you must have these in place,” Embrogno said. “It’s that mandate that is really the differentiator.”
Kapahi said that clearly defining cybersecurity practices helps better align the law with practices that actually help. For instance, an advisor can currently share files by uploading them to services like dropbox then sending a link for another party to click and download. Because it’s not the full file, it counts as encryption by the letter of the law.
“Most firms out there don’t put authentication on the URL,” Kapahi said. “If someone was to sniff that email off the wire, they would actually have access to the file. In practical terms, nothing was actually accomplished.”
New York regulations require advisors to verify identities and use passwords to share files and access nonpublic information and provides greater detail around areas like device management and audit trail logging. The law also takes a closer look at third-party vendors which can be attributed to 63 percent of all data breaches, according to SC Media.
Given the concentration of financial services firms in New York, the mandate goes a long way in shaping future cybersecurity regulation across the nation. Embrogno and Kapahi both said they expect similar rules to come soon from the SEC and FINRA, despite the new administration’s opposition to new regulations.
“I don’t think the new administration will touch this at all,” Kapahi said. “The DOL stuff has material impact on jobs and liability for companies. It’s a huge change that’s required; [an] immense amount of foresight and changes to workflows, technology and business habits. This is something that has been on the table for years already.”
If anything, Kapahi is worried the law doesn’t go far enough. He points out that there are a lot of exemptions to the requirements for smaller companies with few employees or assets under management. Why should a firm not have to be as strict with security if they manage $950 million instead of $1 billion, or if they only have 9 employees instead of 10?
Kapahi said he hopes this is addressed with future rules.
“It’s a legitimate problem, whether it’s required by regulators or not. Companies have to protect data.”