New York Cybersecurity Regulations Delayed, But Coming
The New York State Department of Financial Services (DFS) proposed Cybersecurity Requirements for Financial Services Companies earlier this year, with an expected January 1, 2017 effective date. The effective date of the cybersecurity regulations has unofficially changed to March 1, 2017, according to Reuters and its “exclusive” source from the DFS.
That likely won’t be the only change in the proposed cybersecurity regulation. Despite the DFS surveying the banking sector and insurance companies regulated by the DFS before releasing proposed regulations, mostly community banks and “relatively small” financial institutions expressed concerns about the proposed regulations in a public hearing before the New York State Assembly Committee on Banks.
According to the National Law Review, and many other news sources, the banks were concerned that the proposed requirements were too “one size fits all,” that they didn’t reconcile with federal cyber requirements, and that the reporting requirements were too “onerous” (as it would require annual reporting to the DFS whether or not a data security breach happened). The DFS may disagree as Superintendent Maria T. Vullo’s stated the proposed regulations included the “flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs.” DFS survey data also shows that small institutions generally lagged behind larger ones when it came to implementing data security measures like auditing third parties handling customer data or “key infrastructure systems.” The proposed data security regulations also compare similarly to other federal-level laws and policies.
What’s less talked about (and thus very likely to be implemented on March 1) are the training requirements under the proposed regulations. DFS-regulated financial services companies and insurance companies doing business in New York must “provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the Covered Entity.” The DFS explains, “[a]lthough external threats tend to grab headlines, insider breaches from employees, consultants, and others can do just as much—if not more—harm to an institution.” This means training everyone, especially since insider negligence is the number one cause of data breaches, according to experts like the Ponemon Institute and the Society of Corporate Compliance and Ethics.
Firms must understand “the role of all employees in protecting the institution’s information and systems,” as expected in examinations by the Federal Financial Institutions Examination Council (FFIEC). There’s little question that improperly trained employees are a huge risk to any business handling personal data.
What does all of this mean? Three things: (1) stop guessing, and start doing, (2) mark your calendars for December 28, 2016 as the DFS is expected to release the official cybersecurity regulations then (we will update you, too), and (3) educate yourself on how employees are the largest risk, yet largest opportunity, to securing your company’s data.
***Update*** On December 28, 2016 the DFS released updated proposed regulations. The effective date is officially March 1, 2017 and companies still have to provide data security awareness training to personnel as well as implement cybersecurity programs and policies.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet its requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.