NY Cybersecurity Regulation Compared to Other Laws
The New York Department of Financial Services (NYDFS) proposed its Cybersecurity Requirements for Financial Services Companies regulation, a comprehensive action to, as New York Governor Andrew Cuomo put it, “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
This article will highlight critical requirements of the Cybersecurity Requirements for Financial Services Companies regulation that implicate other data security laws and policies with which New York financial institutions must comply. Grasping the connections within the expansive web of data security laws, in addition to training, can help ensure that financial institutions’ data security compliance meets the growing power of regulators.
- Expanded Definition of What Must Be Protected
The Cybersecurity Requirements for Financial Services Companies regulation outlines four different kinds of “nonpublic information” that financial services companies (FCs) must protect. New York lawyer Joseph P. Vitale opines via Harvard Law School’s corporate governance forum that the proposed law “captures far more data than what New York’s existing data protection law defines as ‘personal information,’” including:
(1) Individual information connected with a financial product or service (largely tracking the Gramm-Leach-Bliley Act, an existing federal law);
(2) Confidential business information;
(3) Personal health information (largely tracking HIPAA’s Privacy Rule covering protected health information); and
(4) “Any information that can be used to distinguish or trace an individual’s identity . . .”.
The most challenging information is contained in (4), a bit of a catch-all term. Not only does it include “any” information used to distinguish an individual’s identity (like a name), it includes information that is “linkable” to an individual, such as educational, marketing, financial, and medical information.
Fortunately, we’ve seen similarly expansive language in the EU Data Privacy Shield (“any information relating to” a “natural person . . . who can be identified, directly or indirectly, by reference to . . . factors specific to his physical, physiological, mental, economic, cultural or social identity”) and the General Data Privacy Regulations (GDPR) (very similar to, but more specific than, the Privacy Shield definition). As a first step, FCs should use these definitions to evaluate how deep their data collection, maintenance, and management go.
- Cybersecurity Program and Policy
The Cybersecurity Requirements for Financial Services Companies regulation requires companies to create a program and a policy implementing the same. The language of the program closely tracks the four elements of the National Institute of Standards and Technology’s (NIST) Framework Core, a voluntary (but major) framework common in the industry. The policy requirements, according to Mr. Vitale, are consistent with both NIST and the Information Technology Examination Handbook released by the Federal Financial Institutions Examination Council (FFIEC). The Gramm-Leach-Bliley Act already requires FCs to maintain a data security policy, and so all three should be compared with the proposed New York regulation.
- Everyday Use
Everyday operations are also implicated by the Cybersecurity Requirements for Financial Services Companies. Two require much attention. One requires encryption, which bumps up against New York’s current data security law, which doesn’t require notification of a breach if data is encrypted (unless the encryption key itself is disclosed). Another important consideration is the FFIEC tool used in bank examinations of a bank’s internal process, controls, and operations—especially since the OCC released an October 2016 Bulletin answering Frequently Asked Questions about its use.
- Third-Party Liability
Certain third parties, such as business partners and vendors, may have to secure data the same way FCs do, according to the Cybersecurity Requirements for Financial Services Companies. Both the EU Data Privacy Shield and the GDPR, mentioned above, require companies to ensure that third parties use proper security procedures.
Finally, FCs must “provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the Covered Entity in its annual assessment of risks” under the Cybersecurity Requirements for Financial Services Companies. While the law does not specify what exactly you must train on, there are tips. As reported by us and by the Ponemon Institute, insider negligence is the number one cause of security gaps.
Data security training can teach employees how to guard your company’s cybersecurity program. However, plopping a training course in front of an employee is far from a guarantee. There must be motivation. Engaging the millennial learner and incorporating ethics and aesthetics are some of many considerations LawRoom makes when designing its online compliance training courses.
It is no wonder why companies are making cybersecurity a top priority. Financial institutions and insurance companies registered with the NYDFS, already under pressure to comply with international, national, and state data security laws, will likely have to comply with the Cybersecurity Requirements for Financial Services Companies Regulations, if it passes. LawRoom tracks legal updates, and will update you.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.