Implementing Cybersecurity Legislation
An overview of the NYDFS and NAIC model laws
By Mitchell Ayes , Paul Lanza , Samit Shah
The increasing pace of cyber-related events and crimes has led state regulators to survey the growing risks and take action. In New York, the Department of Financial Services (NYDFS) enacted cybersecurity rules effective March 1, 2017. Leading the nation in this effort, the NYDFS regulation has been viewed as a blueprint for many other states as well as industry initiatives such as the National Association of Insurance Commissioners’ (NAIC) cybersecurity model law. The impetus for these regulations comes from heightened concerns about internal and external threats—nation-state, terrorist, and independent actors creating financial losses and stealing electronic data to be used for illicit purposes. By establishing standards for data security, event investigation, and notification by affected companies, states believe they can better protect customer non-public information as well as a company’s information technology systems from being compromised.
Aug. 28, 2017, marked the first compliance date for NYDFS’ cybersecurity regulations. Now that financial institutions are under the gun to comply with the regulations promulgated by NYDFS, let’s take a look at some of the most important new requirements.
First, banks, insurance companies, and other financial services institutions must appoint a “qualified” employee to act as the chief information security officer, who is responsible for not only approving the company’s written cybersecurity policy, but also reporting to the company’s board of directors on a biannual basis. In addition, in the event of a data breach, financial institutions also must comply with NYDFS’ mandatory reporting and notification guidelines, which include notifying consumers and the NYDFS superintendent of the breach.
Furthermore, the NYDFS regulations require that financial institutions maintain state-of-the art security defenses, such as encryption of data and multifactor authentication to further protect against a data breach. More specifically, the NYDFS regulations require the installation of “audit trail systems,” which monitor user access and system events, and allow for reconstruction of transactions. The NYDFS regulations further extend to third-party service providers in both the implementation and maintenance of the organization’s cybersecurity policy. The same rules governing the entity extend to third-party service providers to ensure the security of both information systems and non-public information. The main goal regarding third-party risk is careful risk assessment and monitoring of the service providers throughout the business relationship.
In drafting its model law, the NAIC admitted that its goal is to ensure that a company that is compliant with the NYDFS regulations will also be compliant with the model law. Notwithstanding, there are several important distinctions between the model law and NYDFS’ stipulations, which we will highlight.
One important variance is that the NYDFS’ regulations provide a broader, catch-all definition of protected information than the NAIC counterpart. Under the NYDFS regulations, protected information includes “any information that can be used to distinguish or trace an individual’s identity.” However, it appears that the NAIC model law only concerns itself with information that would permit the “fraudulent assumption of the consumer’s identity or unauthorized access to an account of the consumer.” Accordingly, it appears that the reporting requirements will be triggered more easily under the NYDFS regulations than under the NAIC model law. There is no threshold in the regulations as to the number of non-public information records that would trigger notification, whereas in the model law that figure is no fewer than 250 or more consumers residing in the state.
Another important difference between the NYDFS regulations and the model law is that the model law provides that any data breach reports are confidential and cannot be subpoenaed or produced pursuant to any federal or state Freedom of Information Act or discovery request. No such provision exists in New York.
Additionally, in the event of a breach, the model law provides specific regulations as to the timing and content of notice to consumers and credit reporting agencies. Likewise, the model law states that the commissioner can compel the company that suffered the breach to provide consumer protections for a period of at least one year. The NYDFS regulations, however, do not have specific provisions regarding consumer notice or notice to credit reporting agencies, and do not provide any regulations regarding consumer protections.
So as the other 49 states begin to consider enacting state cyber regulations, what can we expect them to do? Both the NYDFS and NAIC provide guidance to companies on what rules they must follow to secure non-public information. They are also specific as to what actions must be taken in case of a breach event, notification to the state regulator, and services to individuals affected. Both specify different timelines for when certain parts of the regulation or model law would take effect or be enforced.
We can expect states to follow the spirit and intent of both approaches, but states will likely differ from one another in a few areas. For instance, each state will probably determine a different per-person threshold limit of when the regulator and people of the state must be notified following a security breach. Furthermore, specifics regarding the sector and size of the types of organizations that must comply with the rules will likely vary by state, not to mention what the enforcement actions for non-compliance would be. Each state will determine how it will certify that firms are complying with these rules.
There are certain key messages in both approaches. First, there should be an individual responsible for overseeing security, whether it’s someone employed within the organization or somebody contracted to assist who reports to someone in the company. Second, it is imperative for an organization to have a written and regularly tested cybersecurity policy and incident response plan. Third, whatever policy that is put in place must account for third parties and vendor management. The risks generated from vendors that provide critical business functions and collect, process, transmit, or store non-public information is too great an issue to ignore. Lastly, the company’s senior management must have visibility and accountability for its cybersecurity program. By taking action to implement these messages, a company will increase its resilience in spite of the growing number of cyber threats and attacks.