New York Amends Cyber Security Proposal
On December 28th, New York’s Department of Financial Services reissued its proposed Cybersecurity Program Requirements which are to be phased in starting in March.
Although the amendments are designed to clarify that entities covered by these regulations (a category that would include state chartered credit unions and CUSOS incorporated pursuant to State Law) can develop policies that reflect individual risk assessments, it remains to be seen whether these changes will go far enough to assuage the concerns of insurance companies, banks and credit unions that will have to comply with these “First in the Nation “requirements. Remember these regulations only apply to state chartered institutions, but may very well provide a template for other states across the nation.
First the good news. The exemption from these regulations (proposed section 500.19) has been expanded; it now includes an organization with fewer than 10 employees or less than $ 5,000,000 in gross revenue in the last three years. The previous exemption only applied to entities with fewer than 1,000 customers in each of the last three calendar years.
The proposed regulation has also been amended to clarify that an organization’s policies and programs are to be based on its risk assessment. While this helps, the Department refused to clarify the extent to which compliance with federal standards can satisfy these regulations.
The amendments also clarify that a covered entity can satisfy these regulations by using an affiliate’s cybersecurity program. In other words, a state charter with a CUSO can use a single program so long as it applies to both entities.
A huge issue, particularly for larger institutions, is the state’s proposals requiring institutions to encrypt nonpublic information that is not being transmitted. I have conversed with a couple of techies about this. They argue that when information is being stored on a secured system it shouldn’t be subjected to the same encryption requirements as data being transmitted. Show revised section 500.15 to your IT people and see if the proposed changes go far enough to address these concerns. Yours truly is by no means an IT expert, nor does he play one on TV.
There is still plenty in here to make institutions moan. For example, covered entities will still have to have to undergo cybersecurity training.
Happy New Year!