New York enacts bold cybersecurity law

Security guidelines, initially proposed by the New York State Department of Financial Services (DFS), will become law Aug. 28, 2017. This has sparked statewide audits and broad compliance measures among organizations deemed by the department to be "Covered Entities." These include banks, other financial institutions and insurance companies, according to the DFS.

Security analysts see a fundamental shift in the new regulations, which require companies to treat cyber security as a risk management issue and hold senior executives accountable for their companies' security policies, procedures and collaborations with third-party service providers.

Maria T. Vullo, DFS Superintendent of Financial Services, introduced the legislation, dubbed 23 NYCRR 500, in March 2017, which included a 180-day transitional period to give organizations time to become compliant. Vullo said she expects the new laws to address "the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors."

Steven Grossman, Vice President of Strategy at Bay Dynamics Inc., said the far-reaching initiative is the first state-sponsored regulation to prescribe a risk assessment model to security. The model is markedly different from previous compliance efforts, which tend to be restrictive, he noted. "There's a realistic expectation that if you try to protect everything equally, you'll do a poor job of protecting your organization," he said. "For example, you wouldn't want to lock up snacks in the same way that you'd lock up fine jewelry. Payment data, like fine jewelry, is an important asset to protect; different assets require different levels of protection."

Assigning responsibility

Grossman additionally noted the law's requirement for a Chief Information Security Officer (CISO), which the DFS defines as "a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy." CISOs, who may be employed by an organization, affiliate or third-party service provider, are required for any company with more than 10 employees and $10 million in total year-end assets, which includes a broad cross-section of New York companies, he stated.

CISOs will be required to provide written reports at least once a year to their respective board of directors or governing body, detailing their cybersecurity programs' scope, effectiveness in protecting assets and nonpublic information, and perceived material threats, the DFS stated.

"Many companies set and forget when they outsource back office procedures or other business-critical functions to a third-party service provider," Grossman stated. "Ongoing due diligence will ensure these companies are operating at the same level of requirements."

Operations and scope

Statewide cybersecurity laws require all New York State companies to implement a broad set of compliance measures in each of the following areas: information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery planning and resources, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management, risk assessment, and incident response.

Self-directed guidance

Going forward, Covered Entities in the State of New York will be required to "implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity's board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity's policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems," the DFS wrote.

Participating organizations are free to interpret the guidelines as they see fit, based on their perception of risk and their unique approaches to implementation, Grossman stated. For example, the law mentions multifactor authentication as a possible approach, while allowing organizations to make their own choices. "The larger financial institutions are already moving in that direction, but further downstream, many midsize providers are finding two-factor authentication inconvenient and difficult to implement," he added. "And if you don't find ways to make security convenient, it will continue to be a challenge."

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.