Summer 2018 was dominated in the EU by the General Data Protection Regulation (GDPR), and in the US, by the California Consumer Privacy Act of 2018 (CaCPA, otherwise known as California GDPR). Both of these regulations on data represent a significant shift in how the business community manages and protects consumer information. If you read the fine print, both of these regulations will ultimately drive more action on cybersecurity.
However, less attention is being paid to the September 4, 2018 compliance deadline for New York’s Department of Financial Services Cybersecurity Regulations (23 NYCRR 500) that have since passed. Yet, in practical terms, the New York regulations have a far more immediate impact on businesses, especially in the financial sector. New York’s regulation also has greater potential to improve cybersecurity outcomes that will ultimately benefit consumers.
Broad Consumer Protection Drives GDPR and CaCPA
Fundamentally, the GDPR and CaCPA are not cybersecurity laws; they are data-centric consumer protection laws that aim to give consumers access and control over data, rather than mandating specific data protections. Both the CaCPA and GDPR reference a duty to maintain security practices and procedures equal to the risk of harm to consumers. The CaCPA requires organizations to have data security programs in place to protect consumer data. The GDPR makes it clear that security is a foundational element of data protection, and requires that it be part of product and service design and execution. The GDPR also includes strong financial incentives for ensuring that cybersecurity programs are robust and effective: fines of up to €20 million or four percent (4 percent) of annual global revenue.
In both cases, having strong cybersecurity programs can be taken into consideration by enforcement actions. However, the end result of both the EU and California approaches is a lot of guesswork on what meets the standard for cybersecurity protections.
Similar to the EU’s transitional approach to implementing the GDPR, 23 NYCRR 500 has been in effect since March 2017 but includes multiple deadlines. In fact, the regulations will not be fully enforceable until March 2019. Other similarities include requirements for written plans, annual assessments, and the appointment of an executive to oversee the programs required by the rules. In the case of the New York regulations, the appointment of a Chief Information Security Officer is required. These broad requirements are generally where the similarities between the GDPR, CaCPA and 23 NYCRR 500 end.
Targeting Areas of Concern: New York’s Approach
The New York regulations are specifically directed at protecting businesses regulated by the New York State Department of Financial Services, and their customers, from the impacts of cyber attacks. The provision effective in September 2018 provides guidance and focus on an otherwise underrepresented—but highly vulnerable—area of any organization: Application Security.
Section 500.08 Application Security.
(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.
(b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.
There’s a lot of punch packed into those 83 words. Terms like “shall” make AppSec mandatory while “in-house developed” and “externally developed” ensure all applications used in a regulated company meet defined standards. Additionally, “periodically reviewed” means the actions cannot be a “one and done” practice.
In adopting 23 NYCRR 500, New York officials took a comprehensive view of cybersecurity, ensuring each area of concern received the focus it required. For example, network protections have historically received the lion’s share of cybersecurity funding and staffing. Yet, known code vulnerabilities in applications are the primary target for successful attacks. Pick any high-profile data breach from the past decade and chances are that a known flaw in an app was at the core of the attack – often a known, but unpatched software bug. That’s one of the reasons by the New York State Department of Financial Services includes a specific application security provision, one of 15 different areas of focus. Other areas include requirements for Penetration Testing and Vulnerability Assessments, Audit Trails, Limits on Data Retention, Training and Monitoring, and Encryption of Non-Public Data.
Under this regulation, businesses only have 72 hours to report any “cybersecurity event” that has “a reasonable likelihood of materially harming any material part of the normal operation(s)” of the business to the Commission of Financial Services. While this is the most aggressive breach notice provision in the US, it stops short of requiring a public notice of the event within the same timeframe. In the EU, a similar GDPR requirement is driving a surge in breach notifications, according to the United Kingdom’s Information Commissioner’s Office.
The Influence Outside of New York
After seeing consistent complaints from consumers and corporate boards, public officials across the US are asking the obvious question: Should New York's cybersecurity rules be a model for the rest of the country?
The passage of the CaCPA in June 2018 is proof that other states are looking to address the unrelenting threat from cybercriminals in a more comprehensive way. Federal regulators are also discussing the need for more cybersecurity accountability.
The Federal Reserve Board's vice chairman for supervision, Randal Quarles, noted in February that more action is required: “While we know that successful cyber attacks are often connected to poor basic information technology hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber-events.”
However, legislators must find a delicate balance. Regulations that are too prescriptive run the risk of preventing companies from being able to address the ever-changing attack vectors used by malicious hackers. Overly broad rules can fail to provide the guidance required to ensure the outcomes sought by the regulations – and a high level of compliance – is achieved.
It won’t take long to determine into which category 23 NYCRR 500 falls.
About the author: James E. Lee is Executive Vice President of Waratek, a leading cybersecurity company based in Dublin and Atlanta. Lee is the former CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair. Lee has served as a leader of two ANSI efforts to address issues of data privacy and identity management. Lee is also a former global leader at International Paper Company (NYSE: IP).
