A Stitch in Time Saves Nine: Sustainable Compliance in Cyberspace

In the not-so-distant past, when hackers breached a company’s cybersecurity defenses and pilfered data, including sensitive customer information, the government and public alike often viewed the company as one of the victims. Not anymore. A confluence of cybersecurity developments is changing the game: highly publicized corporate network intrusions impacting large swaths of the U.S. population (Equifax, Yahoo and Target, to name just a few); a wave of aggressive new regulations (both currently in effect and proposed) at the state and federal levels, with the looming threat of regulatory enforcement and sizable penalties; and growing exposure to legal liability for data breaches under existing consumer protection laws. As the dust settles, an emerging legal and regulatory standard of care for cybersecurity is coming into sharper focus. Global financial firms, in particular, should pay close attention to this quickly evolving cybersecurity compliance landscape—or risk getting crushed under the weight of stiffening regulations and class action lawsuits.

Cybersecurity Regulations On the Rise

State and federal government agencies are increasingly pushing to regulate cybersecurity compliance, especially for financial services companies that routinely handle sensitive customer information. Cybersecurity has long been a mostly unregulated affair: stakeholders have operated pursuant to industry best practices and voluntary guidelines, such as the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity.” In March 2017, though, New York state’s financial watchdog, the Department of Financial Services (DFS), issued cybersecurity requirements for financial services companies. This is the first such set of regulations at the state level and easily the most ambitious cybersecurity compliance regime to date. Codified in Section 500 of the New York Code of Rules and Regulations, the suite of regulations applies to any corporation with more than 10 employees subject to New York’s Banking Law, Insurance Law, or Financial Services Law (with some exemptions). “Section 500,” as it’s simply known, mandates that covered companies, among other things:

• Designate a chief information security officer who is responsible for overseeing and enforcing the company’s cybersecurity policy;
• Create a cybersecurity program that includes monitoring and testing, developed in accordance with the company’s cybersecurity risk assessment; and
• Implement and maintain written policies addressing 14 areas, including information security, data governance and classification, and customer data privacy.