Looming financial cyber regulation – an alert to all industries

State government officials realize that cyber security needs to be promoted throughout private industry financial sectors, but none have issued any state-wide initiatives to mandate change—until now. The state of New York is proposing cyber security regulations for financial entities.

In September, 2016, the New York State Department of Financial Services announced a new proposal that would help regulate cyber security among financial institutions within the state of New York. Cynthia Larose, a legal expert and chair of Mintz Levin’s Privacy and Data Security Practice who specializes in privacy and data security, recently explained the proposed changes in her blog.

Larose, an experienced attorney who has received numerous awards, including being named among the Diversity Council’s Top 50 Most Influential Women in Technology, states that the new proposal “would require financial institutions and insurers to implement strong policies for responding to cyber attacks and data breaches.”

Once approved, New York’s game-changing new proposal will help protect the state from the devastating effects of cyber crime. According to Governor Andrew Cuomo, “this regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

How soon will the new regulations take effect?

Before New York’s new proposal can be enforced, it must be posted in the New York state registry (on September 28, 2016). Then, it has to be subjected to a 45-day notice and public-commenting period.

What do the new regulations include?

The new regulations mandate that New York-based financial entities do the following:

  • Develop and implement a cyber security program that identifies cyber risks, tests for cyber security breaches and responds to cyber security events effectively to restore normal operations.
  • Have a written cyber security policy that covers information access and security.
  • Select a Chief Information Security Officer to implement, oversee and enforce the new program and its policies.
  • Have procedures and policies to ensure the inaccessibility of non-public information that is housed by third-party vendors.

Will the new regulations only affect New York?

Although the proposed regulations are New York-specific, it is highly likely that other states will be adopting similar requirements– and not just for financial services. Industries across the board can expect that there will soon be multiple regulations proposed to beef up cyber security measures and ensure training is in place.

The proposed regulations may help, but are they enough?

Although the proposed requirements do mandate annual training and assessments of vulnerability, one important component is still missing– a way to test the effectiveness of the training.

This missing link is a looming issue, regardless of the industry that is involved. For many companies, corporate cyber training may be in place, but the effectiveness of the cyber education remains suspect. Are the employees really digesting the information in a way that will significantly improve cyber readiness? So far, there is little proof that an employee’s name on a training roster will prevent the compromise of private or personal information.

Annual training, such as that indicated in the New York proposal, may quickly be forgotten, and the proof of inadequacy is often a devastating breach of information that will cost thousands—if not millions—of company dollars to address.

While once-a-year training may meet government requirements it goes against recommendations of a number of Security Frameworks such as NIST, ISO, HIPAA and others. These frameworks all agree that content should be amongst other things, engaging, continuous, short, simple and personal. Once a year training offers no way to validate the effectiveness of an employee’s cyber education. In addition, although the lengthy cyber security classes that may comprise the training often include important information, the data presented may not be absorbed because it is not offered in easily digested, bite-sized portions.

If companies want to ensure that they are offering the best protection against employee-based cyber threats, they must not only verify that training is occurring. They must also have proof that it is actually working by measuring and monitoring the training’s effectiveness.