The NYDFS: Treating Cybersecurity as the Newest Businesses Opportunity

The New York Department of Financial Services (NYDFS) issued cybersecurity regulations that began to take effect on March 1, 2017.  Similar to the Health Insurance Portability and Accountability Act (“HIPAA”), the NYDFS imposed proactive cybersecurity regulations on “covered entities” doing business in New York.  Covered entities under the NYDFS cybersecurity regulations include insurance companies, banking institutions, trust companies, budget planners, check cashers, credit unions, and (thanks to Equifax) credit monitoring companies.

If you qualify as a covered entity under the cybersecurity regulation, your must create a detailed cybersecurity plan.  Yes, that’s right, requirements for covered entities to proactively address cybersecurity issues rather than just breach notification requirements.  Some of the detailed requirements include, designating a Chief Information Security Officer (CISO), enacting a comprehensive cybersecurity policy, and initiating and maintaining an ongoing reporting system for cybersecurity events.  And then there is the yearly reporting bonus.  Every year (starting on February 15, 2018) either the Chairperson of the Board of Directors or a Senior Officer is required to sign a statement that the Chairperson or Officer has reviewed all the applicable documents about their company (and about their vendors) that are necessary to certify that the covered entity complied with the Rules during the prior year.  Oh, and a subsidiary of a compliant organization cannot rely on its parent’s certification.  Each entity must separately certify. So here we are on the eve of the first reporting deadline. New Year’s Eve for covered entities.  And that’s not all!

The NYDFS has forthcoming requirements that must be completed by March 1, 2018.  All covered entities are required to complete and implement a risk assessment.  And unlike the NIST’s Cybersecurity Framework, which specifically points to cost effectiveness as a proper component of cybersecurity risk management, NYDFS expressly states that the required risk assessment “is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.”

Now, the NYDFS is not completely without flexibility.  It does allow covered entities to accept “reasonable” risks, but does not set forth the standards it will follow to determine if those risks are “reasonable”.  The biggest problem with that is what constitutes “reasonable” will not be fleshed out until after covered entities are rung up for non-compliance. And, let’s not forget that if there is a material change within an organization, the assessment must be performed again.  Bonus, a “material change” is equally as ambiguous.

The March deadline also includes things like penetration testing and vulnerability assessments or continuous monitoring, employing multi-factor authentication or a reasonably equivalent alternative, and regular cybersecurity awareness training.  All of these tasks seem both daunting and expensive.  However, there is no reasonable alternative.  We live in a word where cyber-threats are a twenty-four-hour-a day, seven-day-a-week-proposition. There is literally no rest for the weary.  And these seemingly arbitrary regulations force companies to take cybersecurity seriously and make it a part of everyday work culture in their organizations.  The regulations provide accountability and responsibility.

But, they also present an opportunity.  An opportunity for increased revenue and consumer trust.  A chance to show that consumers and business are on the same side.  It isn’t just an “us versus them” proposition.  We are literally all in this together.  Cybersecurity is a shared responsibility — as All Things Auth outlined in detail, both companies and individuals need to be a part of the cybersecurity solutions.  A company that uses these regulations as an opportunity, rather than a mundane exercise it must go through to be in compliance, will not only start to embrace its own responsibility in securing data, but will also see a real ROI from a public relations (and then financial) perspective.

Businesses typically are not fans of regulation.  But, regulations are, unfortunately, a necessary evil in a capitalistic society.  Turning the regulatory lemon into “PR” lemonade will really separate the ladies from the girls in terms of corporate longevity.  Cybersecurity is something we all need to invest in; from the person in the mailroom to the executive in the corner office.  It protects us all and makes everyone more secure because we are only as secure as our weakest cyberlink.  And remember, in business (as in life), cybersecurity is always a good investment.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.