'Training Wheels' Come Off New NY Cybersecurity Rules
New York’s financial services regulator has demonstrated an eagerness to help companies get up to speed on the state's landmark cybersecurity rules over the past two years, but with the implementation grace period now over, enforcement is likely to heat up, experts say.
The first-in-the-nation cybersecurity rules developed by New York’s Department of Financial Services, which took effect in March 2017, require banks, insurers, financial businesses and regulated virtual currency operators to fortify their cybersecurity protocols by establishing a detailed data security plan, increasing their monitoring of third-party vendors, appointing chief information security officers and reporting breaches within 72 hours.
The regulation has been implemented in stages, with the final compliance deadline occurring March 1. That date obligated regulated entities to have written policies and procedures in place to ensure that their third-party vendors are following cybersecurity best practices.
“It’s been two years now, with all of the transition periods over. So banks and insurers can breathe a short sigh of relief, but we are only in the first inning of a much longer game,” said Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York who chairs the firm’s data security practice. “We really do have a far way to go.”
What Form Will Enforcement Take?
Patrick J. Burke, who in his former role as the first head of DFS’ Office of Financial Innovation supervised compliance examinations under the groundbreaking regulation, said that oversight during the past two years has largely centered on “fostering a cooperative environment” that helps companies learn their new obligations.
“The emphasis when I was there and under then-Superintendent [Maria] Vullo was on educating the licensed community and encouraging them to adopt this new set of standards, and there wasn’t a big emphasis on any sort of penalties at this stage,” said Burke, who worked at DFS from February 2018 until January, when he left to join Phillips Nizer LLP in New York and lead the firm’s data technology and cybersecurity group. "We had a real mission to be constructive and to treat our examinations as a learning experience and as an opportunity to encourage compliance."
DFS has beefed up its examiners and its expertise in cybersecurity since the regulation went live, building a dedicated team of cyber examiners who receive regular updates and training, according to Burke.
"We understood that the regulation raised the bar, and that particularly for institutions that weren't banks or insurers, this was a whole new game," Burke said. "When we came across those who weren't used to these kind of obligations and hadn't met the criteria, we'd work with them to get there. Getting everyone's mind focused on these issues made a big difference."
With the implementation window now closed, the approach that DFS has taken to enforcement may begin to shift.
“At some point that’s probably going to happen,” said Burke. “When the training wheels come off, everybody has to take more responsibility for compliance, and with a new superintendent there could be a new approach, so I’ll be keeping my eyes open on that.”
Vullo left the agency in February and was replaced by Linda A. Lacewell, who is serving in an acting capacity while awaiting state Senate confirmation.
The way DFS approaches examinations and interacts with financial institutions over the next 12 months is likely to be a key indicator of what enforcement strategy will prevail, attorneys say.
“This is going to be a great conversation to have in a year, because really the next year is going to be very informative about how DFS treats issues such as vendor management, which are things that have traditionally been considered good ideas but that companies hadn't been required to do,” said Michael Steinig, a partner at Eversheds Sutherland. “So in examinations over the next six months, DFS is going to be looking at not only whether a company had an incident, but also whether the company is prepared for an incident.”
The hope, according to Steinig, is that DFS will reward companies that have done their best to fall into step with the new regulation, even if the regulator finds some shortcomings.
“One of the beauties of the rule is that it gives companies a lot of flexibility and control over how to set up their program,” Steinig said. “But the problem with that is that it’s so hard to tell what DFS actually wants. This is the first chance for the department to tell companies either that even though there’s a lot of flexibility, this is not what we meant, or that as long as the company has done a risk-based assessment and feels comfortable, then we're comfortable.”
Mike Stiglianese, a managing director in professional service firm BDO's cybersecurity advisory practice, said that he has heard of some companies receiving letters from DFS for missing the first deadline in February 2018 for certifying compliance with the regulation, but none of the companies he advised has had to deal with any enforcement actions to date.
While it remains to be seen where the regulator will go from here, DFS could borrow from the model used by the U.S. Securities and Exchange Commission when it was tightening its cybersecurity disclosure guidelines, according to Stiglianese. The SEC did a series of sweeps that first checked to see if adequate policies and procedures were in place, and then progressed to checking whether they were actually being implemented.
"You can write policies and procedures, but it takes time to get everyone in the organization to understand them and adjust workloads accordingly," Stiglianese said. "Hopefully, DFS will take into account that this is an evolutionary process."
Whichever way DFS goes on enforcement, one thing is clear: Even though the hard work of implementing the regulation is over, covered entities must remain vigilant.
“Banks and insurers shouldn’t view the fact that the transitional periods are over as an end of an organization’s compliance efforts,” Newman said. “It’s just the beginning. Although an organization might be fully compliant today, that can easily change unless there’s ongoing and thorough diligence and monitoring of the firm’s data security environment and program.”
Burke noted that while he was in charge of the cybersecurity examination process at DFS, covered entities appeared to be doing "a pretty good job" of meeting their new obligations.
"It involved a stretch for some institutions, but they were stretching," he said. "While not everyone had compliance 100 percent down — which was somewhat to be expected — every company that we looked at was making a very good effort and assessing the risk in the way that we had asked them to, and in a lot of ways, folks who were doing cybersecurity at these institutions seemed to welcome the challenge and the guidance."
Compliance Landmines Ahead
Perhaps the most challenging aspect of compliance will be the requirement that regulated entities implement policies and procedures to secure information systems and nonpublic information accessible to, or held by, third-party providers, experts say.
"While a firm’s approach to its vendors is based on the risk assessment process, it still requires a roll-up-your-sleeves approach in evaluating the severity and impact of risk that each vendor presents to your network and sensitive information," Newman said. "It’s only after considering these issues that effective and meaningful third-party policies and procedures can be put in place to mitigate the risk presented by a third party. DFS has made clear that this is an important issue and will likely be the subject of the audit process.”
The DFS rules turn the traditional definition of vendor on its head by expanding the universe of relevant third parties, meaning that even companies with a sturdy vendor management program in place will need to undertake a fresh assessment of who has access to personal or sensitive nonpublic information. That can include law firms, accounting firms and other professional service providers, according to Steinig, who has been working with clients to streamline their vendor management processes in response to the regulation.
"DFS has taken the vendor management piece to a completely different level, requiring so much more diligence and documentation than we've seen under any other regulatory framework," Steinig said.
The requirement to audit vendors regularly is also likely to be tricky for covered entities, given the historical tendency for companies to leave third parties largely to their own devices once a contractual arrangement is in place, Steinig said.
"There now has to be a documented, structured program for ongoing review. That process can't be haphazard anymore," he said.
As the regulation matures, companies may also find themselves facing scrutiny stemming from the 72-hour window for reporting data breaches. The quick reporting deadline had raised red flags when the New York rules were announced but has yet to cause significant headaches.
BDO's Stiglianese noted that what precisely constitutes a reportable incident under the regulation is not clearly defined, and that financial institutions likely won't get clarity on that point "until New York state comes in and, based on some examinations, gives a better view of what that definition is."
When DFS issued its rules two years ago, experts had predicted that federal banking regulators, insurance commissioners and states from Connecticut to California would soon follow with similar cybersecurity mandates of their own.
Hints of this anticipated spread are starting to materialize. State insurance regulators are beginning to adopt cybersecurity rules finalized by the National Association of Insurance Commissioners last year that share similarities with the DFS regulation. The Federal Trade Commission earlier this month proposed changes to data security protocols under the federal Gramm-Leach-Bliley Act that borrow from New York's groundbreaking rules, including requirements to encrypt customers’ personal data and mandate two-factor authorization for access to bank accounts.
"I think the New York regulation has gotten a reputation as being a good standard, and a lot of other states have been impressed by these standards. So it wouldn't be surprising if these states, which have the same kind of cybersecurity concerns as New York, adopt rules like this," Burke said.
Steinig agreed that the New York rules will almost certainly continue to catch on, but "how quickly and in what form still remains to be determined."
"It's likely that at some point, the financial services industry is just going to say, 'Whether we're regulated or not, we're going to follow these rules because it's the right thing to do. Everybody else is doing it and we're going to be required to do it soon anyways,'" he said.
--Editing by Jill Coffey and Aaron Pelc.
Read more at: https://www.law360.com/articles/1140839?copied=1