The Conference Board Governance Center Blog

Sep
28
2016

NY State Cyber Regulation for Banks: A Model?

By Marcel Bucsescu and Matthew Waxman

This post originally appeared on LawFare on Sept. 19, 2016.

On September 13, 2016, New York Gov. Andrew Cuomo announced a set of proposed cybersecurity regulations for financial services companies that fall under the jurisdiction of the New York State Department of Financial Services (NYSDFS): Cybersecurity Requirements for Financial Services Companies. This proposed regulation, Cuomo noted, is the first of its kind in the nation and reflects the severe threat of cyber-crime and disruptions to the global financial sector centered in New York.

This sector-specific regulation (which now goes through a public comment and review process) is the latest move in a proliferation of cybersecurity standards that private firms must navigate. Companies are already challenged to draw on appropriate required or voluntary frameworks, from government standards like the National Institute of Standards and Technology (NIST) Cyber Security Framework, to industry standards and other private sector initiatives such as the International Standards Organization 27000 (ISO) or the Payment Card Industry (PCI) Security Standards, and private/public partnerships like North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards. The financial services industry, in particular, has seen a proliferation of rules and guidance from regulators like the Security and Exchange Commission (SEC), the Federal Financial Institutions Examination Council (FFIEC) – which informs both the Office of the Comptroller Currency (OCC) and the Federal Reserve Bank’s oversight—and the Commodity Futures Trading Commission (CFTC).

In this context, the proposed NY State regulations can be viewed both as a blessing and a curse. For those companies that fall under the jurisdiction of the NYSDFS, the proposed rules lay out a clear governance framework for cybersecurity. But these rules also add another set of standards for consideration by financial industry organizations that often have multiple regulators in varying jurisdictions here in the United States and around the world.

To the credit of the NYSDFS, prior to publishing the proposed rules, it surveyed nearly 200 companies on leading and emerging practices in cybersecurity. Foregoing the technical minutia of a corporate cybersecurity effort, the proposed rules address five key areas:

  • The establishment of a cybersecurity program
  • The adoption of a cybersecurity policy
  • The role of the chief information security officer
  • Oversight of third-party service providers
  • Additional items that relate to security practices and other matters

The announcement emphasized that the proposed regulations are designed to provide “certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.”

The first area of the proposed rule relates to the formation of a cybersecurity program. The rule reads that each company “shall establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The outlines of the NYSDFS program aligns pretty closely with the NIST program: identify, protect, detect, respond, and recover.

The written cybersecurity policy mandated by the proposed rule is more detailed, calling out about a dozen areas—such as customer data privacy, vendor and third-party service provider management, and incident response —that, at a minimum, need to be addressed. Most importantly, the policy is mandated to be reviewed by the board of directors and approved by a “senior officer” “as frequently as necessary,” but at least once a year. The proposed rule even provides a template certification that the board should sign and submit to NYSDFS annually beginning Jan. 15, 2018.

Under the rule, each entity will have to designate a “qualified individual responsible for overseeing and implementing the [company’s] cybersecurity program and enforcing its cybersecurity policy.” The Chief Information Security Officer (CISO) will have principle reporting and oversight responsibilities for the cybersecurity program at the company.

A critical risk in any corporate operation comes from third-party service provider relationships. This rule seeks to manage that by setting out policies and practices that, at a minimum, address:

  • A risk identification and assessment of the third-party
  • A set of minimum cybersecurity practices required to be met by the third party
  • A due diligence process to evaluate the third-party’s cybersecurity programs
  • At least an annual assessment of the adequacy of the third-party’s cybersecurity program

In some regards, this focus on third-party risks may be the most significant feature of the proposed regulation. This will help companies focus on a critical source of cyber risk. But it should be noted that proper oversight and engagement with third-party vendors, particularly for the largest institutions, is costly and time-consuming.

The proposed rule goes on to identify other practices that the NYSDFS deemed important, from encryption and multi-factor authentication techniques to data retention practices and training and employee monitoring.

Taken as a whole, the proposed regulation should help advance the cause of cybersecurity, though these are still draft proposals and it remains to be seen how they will play out in practice. If one thinks about this state-level, sector-specific approach as a possible model, it’s important to keep in mind that financial institutions generally have greater resources available to dedicate to cybersecurity and they are already subject to more intrusive regulation of internal governance than most other industries.

One challenge that financial companies might face in the implementation of the proposed regulation as current framed is that it is structured as a protective measure for the companies to which it applies, but also as a punitive set of regulations that enforces the protection of customer data. There is an inherent tension in that framing, where the victim (the hacked company) also is treated as the culprit (for failing to protect customer private information). Ultimately, this framing may hinder collaboration as companies balance engaging with regulators to address cyber-threats against them with the regulatory action that comes from the disclosure. This, in turn, may slow progress on the common goal of improved cybersecurity and response.

Perhaps most surprising is the inclusion of a certification by the chair of the board (or designated member(s) of senior management) of compliance with the rule. Certifications of this nature are rare, though NYSDFS appears to find this a useful mechanism to ensure focus on process, having included it in another recent regulation as well. Certifications like this help boost attention to the issue internally and promote accountability, but they are expensive, as regulated entities build systems to protect the board and senior leaders and vet the certifications.

In his remarks, Governor Cuomo said, “this regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

That’s a vast and misleading overstatement; any guarantee against cyber-attacks is an empty one. But the proposed regulations are generally a welcome effort to raise the standard of cybersecurity governance.

Marcel Bucsescu is the co-program director for The Conference Board’s Chief Legal Officers Council and executive director of the Ira M. Millstein Center for Global Markets and Corporate Ownership at Columbia Law School. Matthew Waxman is a law professor at Columbia Law School, where he co-chairs the Roger Hertog Program on Law and National Security. He is also Adjunct Senior Fellow for Law and Foreign Policy at the Council on Foreign Relations and a member of the Hoover Institution Task Force on National Security and Law.

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board of the Governance Center.



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply