NY Cybersecurity Deadline Nears
The CEOs of Citigroup, Goldman Sachs, and Morgan Stanley reportedly are the latest victims of the same merry hacker who duped Barclays CEO Jes Staley and Mark Carney, Governor of the Bank of England with email phishing attacks earlier this year.
Although the attacks did no lasting damage, they should spur firms to meet to meet the New York State Department of Financial Services’ August 28 deadline for compliance with its new cyber-security regulation, CC 23 NYCRR 500, according to cybersecurity experts.
“These are not institutions that have low-key security programs,” said Pamela Gupta, president of Outsecure during a cybersecurity webinar. “This is not what we would expect from firms with advanced cyber capabilities. And yet, this was able to go through.”
Preparing for compliance with the DFS regulation will not be an easy lift for firms.
“This is not a ‘checkbox’ regulation,” she said. “There is accountability and documentation expected at every level- from the board to third-party providers.”
Fellow presenter Kenneth Rashbaum, partner, Cybersecurity Practice Group at Barton LLP noted that he could tell how seriously the DFS is taking data privacy by the brevity and clarity it has put into the 14-page document.
“It’s like a liquid that has been distilled into its essence,” he said.
“A lot of the regulations in these financial institutions carry a bit of ambiguity around them, which makes it more difficult to meet,” agreed Gupta. “In this case, it doesn’t have that, which is to your advantage.”
The DFS has not published any guidance or a list of frequently asked questions regarding the regulation nor developed an enforcement mechanism yet, but that should not lull firms under the new mandate into a false sense security.
“It does not mean that the Attorney General would not start a proceeding anyway,” said Rashbaum. “There just is not documented framework yet.”
The regulation went into effect on March 1, he added. “On March 21, New York State Attorney General Eric Schneiderman issued a press release that there were a record number of breaches in 2016 in New York State and recommended a list of cybersecurity practices. If the New York State Attorney General in light of these regulations is making a recommendation, it is not a real recommendation. It is something that you have to do.”
Besides staying on the right side of the DFS, Rashbaum saw in a standard of care that other regulators could reference such as FINRA for its Rule 2010 and the Securities and Exchange Commission’s Regulation S-P.
The trend of states regulating cybersecurity is only likely to grow since Massachusetts has similar regulations for quite some time as does California, according to Rashbaum.
“New Jersey is already considering similar legislation,” he said. “I spoke on cybersecurity at a conference for the New Jersey State Bar earlier this week, and the assembly woman who sponsored the bill announced that.”
Dearth of board-level experience hampers cybersecurity planning and rollout.
One legislator wants markets better informed in case of cyberattack.
No single firm or regulator can tackle the borderless nature of cyber-crime.
New regulations with little harmonization make life difficult for firms.
Business-as-usual will not keep firms on the right side of compliance.