As early as March 1, financial institutions that fall under the purview of the New York Department of Financial Services will face a new cybersecurity regulation that aims to protect nonpublic customer information from hackers.
The proposed regulation requires covered entities to designate a chief information security officer who will develop and implement the firm’s cybersecurity program, and personally certify that the organization is meeting its regulatory mandate for the company’s board of directors as well as the NYDFS.
Part of the obligation will be notifying the NYDFS of any cyber-event that “is required to be provided to any government body, self-regulating agency or any other supervisory body; and that have a feasible likelihood of materially harming any material part of normal operations.”
Any firm that experiences a cyber-event will have up to 72 hours to report the incident to the NYDFS.
Such reports likely will be common occurrence for the majority of firms. According to a survey of approximately 550 senior executives commissioned by Kroll and conducted by Forrester Consulting, 89% of approximate 550 senior executives polled had a cyber incident in the past 12 months, and 42% of them said that customer records were the most common target.
Avi Gesser, Davis Polk
“I think whether a firm will have a problem implementing these requirements depends a little bit on where they’re situated and what they’re already doing in this area,” Avi Gesser, a partner at law firm Davis Polk, told Markets Media. “For almost everybody, the 72-hour notification obligation is going to be a big change. Couple that with the certification requirement and I think that is going to be the most significant challenge.”
Gesser has seen many situations where breached firms could not discover how and to what extent someone had compromised their systems within the 72-hour notification window.
“It can sometimes be months before they have a good sense of what really happened,” he said.
Additionally, the proposed regulation opens the door for overlapping state and Federal cybersecurity regulations in the future, although the NYDFS is the first state regulator to propose such a cybersecurity regulation for financial services.
“Companies often have four or five different regulators, depending on where they are and what they do, that are interested in their cyber issues,” noted Gesser. “If you operate in several states or you have customers or employees in several states, you may be subject to 30 or 40 different notice regimes that you have to quickly sort through to figure out if and where you have a notice obligation.”
Whether the state regulator’s proposed regulation will mitigate future cyber-attacks depends on how it plays out in practice, he added.