W. Todd Hicks ()
As the National Governors Association summer meeting convened in Providence this month, more than 30 governors from around the country—joined by Canadian Prime Minister Justin Trudeau and U.S. Vice President Mike Pence—placed special attention on one issue in particular: cybersecurity. That can’t be a surprise to anyone. We now know that data theft played a role in the 2016 Presidential election. We also know that nearly two-thirds of federal agencies have suffered a data breach, while more than 95 percent of federal agencies consider themselves vulnerable to a breach, according to a report from the cybersecurity firm Thales. And of course, we know that cybersecurity incidents are having a major impact on commerce. Cybersecurity practices are doing a booming business counseling victims of data breaches, when they aren’t being targeted themselves—something DLA Piper experienced in late June, when a cyberattack shut down the firm’s phones and email for days.
The problem is everywhere, and there’s no doubt that many of the governors in Providence are searching for solutions to it. As they do, they might consider the example of New York, which introduced groundbreaking cybersecurity rules in 2017 and is openly calling on other states to follow its lead. The New York regulatory framework offers a viable model for other jurisdictions to adopt, particularly as global cyberattacks make cyber defense an urgent matter.
New York’s cybersecurity regulations are the first of their kind. Implemented earlier this year by the state’s Department of Financial Services, they apply only to insurers and certain financial institutions—businesses that, due to the sensitive nature of customer data they maintain, have much at risk in any data breach. One of the regulations’ major provisions is a mandate that the banks and insurers subject to them appoint a Chief Information Security Officer by August 2017. In addition, they require periodic risk assessments and the maintenance of cybersecurity programs, as well as requiring entities to:
• Implement written cybersecurity policies;
• Comply with governance and staffing requirements, including appointment of a CISO by August 2017;
• Limit user access privileges;
• Install a vendor risk-management program, policies and procedures;
• Destroy nonpublic information periodically and securely;
• Establish a written incident-response plan;
• Provide regular cybersecurity awareness training; and
• Notify the DFS of any breaches within 72 hours.
Not long after the implementation of the New York rules in March, the WannaCry ransomware outbreak infected approximately 200,000 endpoints across 150 countries. That was more than enough to underline the cyberthreat to financial institutions and insurance companies, even before a second round of global ransomware attacks arrived via the “Petya” software.
SEC disclosures open an important window onto actual corporate attitudes towards the risks posed by such attacks. In its March 10-K filing, BlackRock, the world’s biggest asset manager, said “a cyberattack or failure to implement effective information and cybersecurity policies, procedures and capabilities could disrupt operations and cause financial losses that may have a material adverse effect on our business, results of operations and financial condition.” Meanwhile, MetLife acknowledged that although it has taken preventive actions to protect its IT, it may not be sufficient “to prevent physical and electronic break-ins, cyberattacks or other security breaches to our computer systems,” according to the company’s March 24, 2017 10-K filing.
A study of 10-K disclosure statements by the International Association of Privacy Professionals late last year found that one in five companies warns investors that its liability associated with a data breach could exceed its insurance coverage. Even with such potential financial harm hanging over them, companies that disclosed some form of privacy risk cited the reputational harm of a data breach as their biggest risk factor. Meanwhile, fewer than half flagged concerns about business partners and third-party vendors. This despite the experience of Scottrade, which had 20,000 customer records exposed due to human error at a vendor.
Highly publicized intrusions like the current ransomware attack, and the costly resolution of previous data breaches, remind companies of the severity of risk they face from such events. Just recently, Anthem, the nation’s largest health insurer, agreed to a record $115 million settlement in litigation over a 2015 breach that exposed the personal information of 79 million individuals.
The DFS rules are one state’s effort to shore up cybersecurity efforts, prevent such costly incidents from happening and speed the resolution of those that do. In April, the superintendent of DFS, Maria Vullo, urged a gathering of state insurance commissioners to consider New York regulations a model for other states to follow. Commentators appear mixed on the extent to which New York’s regulations will actually be picked up by other states. Criticized as being too harsh when first introduced in September 2016, the regulations were rolled back somewhat in their final form. This has led to criticism that the regulations are too specific in parts, and simultaneously too vague in others.
Nonetheless, with no analogous regulatory regime in place, the New York rules are the de facto starting point for all that follow. The only question is how many others will have followed New York’s lead by the time the governors meet this time next year.