Cuomo Announces Strengthened Cybersecurity Requirements

EisnerAmper‘s Service Provider Spotlight is a monthly entry to our Alternative Investments Intelligence Blog featuring service providers. If you’re interested in being featured, please contact Elana Margulies-Snyderman.

On March 1, 2017, the newly proposed cyber regulation (23-NYCRR-500)  for New York-registered financial institutions took effect. It requires covered entities to employ “necessary safeguards in place to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes,” said New York Governor Andrew M. Cuomo. In many respects, 23-NYCRR-500 is consistent with principles and requirements from similar cybersecurity regulations imposed onto state-regulated businesses such as SB 1386   in California, 201-CMR-17  in Massachusetts,  Chapter 603A in Nevada or other financial industry regulations, including the U.S. Securities and Exchange Commission’s Cybersecurity Initiative  and NFA Cybersecurity Interpretive Notice.

Some of the common requirements are:

• Cybersecurity risk assessment and governance
• Data classification and loss prevention
• Access controls and identity management
• Business continuity and disaster recovery planning
• Incident response
• Vendor and third-party service provider management, and
• Cybersecurity awareness and training

However, 23-NYCRR-500 raises the bar for cybersecurity compliance. Dubbed as “first-in-the-nation,” the new regulation introduces a more stringent cybersecurity doctrine:

• Qualified cybersecurity personnel, e.g., Chief Information Security Officer (CISO)
• Cybersecurity program vs. only a policy
• Annual penetration tests and vulnerability assessments vs. only risk assessments
• Encryption of all non-public data, whether on servers, laptops, or mobile devices
• 72-hour notice of each cybersecurity event, whether confirmed breach or unsuccessful attempt
• Annual written attestation of compliance with the regulation by the senior management

While above requirements may seem to be excessive at first, indeed the apple doesn't fall far from the tree. It was in July of 2003 when the first-of-its-kind-cyber law (SB 1386) was passed by the California legislature to enforce the privacy of personal information. By 2016, at least 47 states had enacted legislation requiring private, governmental, and/or educational entities to notify individuals of security breaches of information involving personally identifiable information.  In addition to data privacy laws, there have been many emerging industry-specific cyber regulations, such as the SEC Cybersecurity

Initiative and CFTC/NFA Interpretive Notice. Nonetheless, over 5 billion records have been exposed globally to cyber breaches since 2013  emphasizing the need for even stronger privacy laws. As a result, many states have already been engaged to make these laws even tougher by expanding (i) the definition of "personal information" to include medical, insurance, or biometric data, (ii) the definition of what constitutes a data breach, (iii) types of organization that must comply with cyber laws in a given state, and (iv) data breach notification requirements (e.g., timing and methods of notice, and who must be notified). Tennessee, for example, recently signed into law SB 2005 , which requires data breach notifications even if breached data was encrypted. New regulations have considerably increased the awareness of cyber risk, and firms are diligently embedding cybersecurity into the cost of doing business. Even so, it is getting harder and harder to navigate and comply with the plethora of changing regulatory requirements. Companies should partner with reputable cybersecurity experts to develop an effective strategy for staying up-to-date on cybersecurity threats and employing adequate cybersecurity best practices.