State Regulators Attempt to Keep Hackers from Taking Bite Out of Big Apple

Prior to high-profile breaches like the Equifax scandal and the ‘WannaCry’ ransomware attacks, regulators and legislators took a passive view of cybersecurity controls. In light of the steady stream of cyber breaches and attacks in recent years, status quo is clearly no longer sufficient.

In 2016, New York state governor Andrew Cuomo announced that the Department of Financial Services (NYDFS) was implementing the first-of-its-kind cybersecurity regulations to protect the state’s financial and services industries. The regulation has been effective as of March 2017, with implementation in four phases.

Phase one, which took effect on February 15th, 2018, required designation of a Chief Information Security Officer (CISO), the creation of an incident response plan, and a cyber security policy tailored to each firm’s specific operations and risk factors. Phase two, effective on the first of March, established reporting procedures – CISO’s must produce an annual report on the firm’s policies, procedures and posture. Firms had to demonstrate the design and implementation of a cyber security program to include multi-factor authentication and regular penetration and vulnerability testing.

As of September 1st, the following phase three controls have become mandatory under state law and must be included in a firm’s cyber security program:

• An annual report addressed to the board from the CISO concerning critical aspects of the cybersecurity program.
• An audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a cyber breach.
• Policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity.
• Implementation of encryption to protect non-public information held or transmitted by the company.
• Policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations.
• A monitoring system that includes risk-based monitoring of all persons who access, or use any of the company’s information systems, or who access/use the company’s non-public information.

The final phase will take effect on March 1, 2019 and will focus on the security of third-party service providers servicing financial institutions and the due diligence processes required to approve such suppliers.

New York state have set themselves apart with the scope and depth of their legislation. Their initiatives have prompted other jurisdictions in America to revisit cybersecurity and privacy protections. California has adopted a law similar to the European Union’s General Data Protection Regulation (GDPR) while Colorado, Massachusetts, Arizona and Delaware have recently produced (or amended) new data breach notification and privacy protection laws.

Cybersecurity regulations have long been lacking and guidance has traditionally been vague and open to interpretation. While there can be no perfect piece of legislation, this framework and measurable standards are welcome in establishing a quantifiable expectation for security controls. We welcome Regulation 23 NYCRR 500 as an essential step towards enshrining a security mindset in the asset management industry.

For diligence practitioners, these rules also create a new baseline for diligence discussions. If an asset manager is based in NYC, are they in compliance with these regulations – and can diligence verify compliance? For asset managers based in other jurisdictions, are their cyber procedures and related documents as good as New York – and if not, why not?