New York Steps Up With First State-Level Cybersecurity Regulations for Financial Services Companies

By Adam Hamm, Managing Director
Risk & Compliance




With the future of federal regulations uncertain, the New York Department of Financial Services (NYDFS) has taken cybersecurity matters into its own hands. Effective March 1,, 2017, banks, insurers and other financial services regulated by the NYSDFS must maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

New York is the first state to adopt comprehensive cybersecurity regulation. Others are watching closely. The National Association of Insurance Commissioners (NAIC) is still crafting its own highly anticipated cybersecurity model law, and comparisons between the two frameworks will continue. We will be following up on these developments as they happen, as well as monitoring whether other states will follow New York’s lead.

Much more than a ritual box-checking exercise, the New York regulation requires the state’s banks, insurance companies and other financial service providers to each conduct a thorough cybersecurity risk assessment and design a robust cybersecurity program based on the findings.

Risk assessments will vary according to the individual risk profile of each covered entity but, generally, the documented risk assessment needs to do the following:

  • Provide criteria for the evaluation and categorization of identified cybersecurity risks or threats which the entity may face.
  • Design criteria for the assessment of the confidentiality, integrity, security and availability of the entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
  • Develop a risk mitigation program that describes how actual risks will be mitigated (or accepted) and how the company will monitor these risks. It is important to document the systems that are in place to detect and defend against cyberattacks, and test employee response to ensure that protocols are both followed and effective.
  • Develop policies and procedures for the implementation and operation of the cybersecurity program, and train employees in these procedures.

In addition, each entity must designate a qualified chief information security officer (CISO) to administer the cybersecurity program. This may not be news to larger financial institutions, but for a smaller entity it may be a brand new requirement that requires some restructuring.

A CISO doesn’t have to come from within the entity’s ranks. Third parties can provide the CISO oversight services in an outsourced capacity. It is important to note, however, that while the responsibility for the oversight can be delegated, liability for the risk as well as for compliance is not transferable and remains with the entity.

There are many more specific details in the NYDFS regulation that covered entities will need to carefully look into as they shape their cybersecurity programs. Among them are specific initiatives that companies will either need to undertake now, or review to make sure they comply with the rule: incident response plan, data encryption, multi-factor authentication, third-party service provider security policies, penetration testing and vulnerability assessments, access privileges, and an audit trail for all these efforts, among others.

Covered entities have until February 15, 2018, to submit their first certification of compliance (annual requirement). This is a very short timeframe. I would urge companies to begin their risk assessments with utmost speed to ensure adequate time to identify and remediate any security gaps before the 2018 compliance deadline.

You can read the full regulation here.

Tackling Healthcare’s Growing Cybersecurity Crisis Starts With a Proper Risk Assessment

David StantonBy David Stanton, Director
Healthcare IT Security and Privacy




As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. These benefits are attributed to advanced storage methods, fluid application data sharing and real-time business-relevant analytics. But this progress has its downside, in the form of heightened attention from cyber criminals.

In 2014, healthcare organizations accounted for approximately 25 percent of all reported data breaches – the highest percentage of any industry sector. Even more cyber intrusions are expected in the coming years because of the growing demand for protected health information on the black market. Patient medical records – often exploited for medical identity theft, fraudulent insurance claims, expensive medical equipment and drug prescriptions – can be more valuable to cyber criminals than credit or debit card numbers, which can be cancelled and reissued easily. In 2013, complete health insurance credentials sold for US$20 apiece – approximately 20 times more than the value of a U.S. credit card number with a security code. (See the latest issue of PreView, Protiviti’s newsletter on emerging risks, for more on this troubling trend.)

In the face of this growing threat, what should healthcare leaders do right now? The first step toward protecting patient information is effective risk assessment. A legitimate security framework, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is a good benchmark from which to assess an organization’s cybersecurity capabilities. Though the use of the framework is voluntary, we support its risk-based approach to managing cybersecurity risk.

A good portion of healthcare organizations can use improvement in the area of cybersecurity risk assessment. According to responses of healthcare leaders who participated in a Protiviti survey about cybersecurity risk and the audit process, only slightly more than half (53 percent) of respondents said they address cybersecurity as part of their audit plan, and nearly half of those acknowledged that internal audit does not evaluate the organization’s cybersecurity program against the NIST framework.

Why the inaction? One reason is perhaps a false sense of security. Healthcare organizations traditionally have placed a strong focus on HIPAA compliance, which covers risk assessment – though not necessarily information security issues. Though HIPAA does require completion of a risk assessment, it does not call for best-practice execution of security controls and adversarial resiliency. Yet organizations continue to use the HIPAA standard as comprehensive risk assessment – potentially leaving themselves exposed to cybersecurity risk.

The availability of cyber insurance also may be contributing to healthcare organizations’ less-than-stellar adoption of a cyber risk assessment and lack of expediency around implementing typical good security hygiene found in other industries (e.g., patch management, encryption, asset management, system hardening, monitoring controls, etc.). But times are changing: Insurance providers are being more prescriptive about what security controls, technologies and processes must be in place to show proper due diligence and can outright reject a claim if preventive measures aren’t implemented before the occurrence of the incident. Cyber insurance also does not compensate for the reputational black eye caused by consumers’ perception of negligence in protecting their information.

The bottom line is this: Healthcare organizations must act now to reduce their cyber risk exposure. Initiating proper risk discussions certainly doesn’t guarantee the avoidance of a breach, or eliminate the risks completely. But it does prepare the organization to conduct five critical functions: identify, protect, detect, respond and – in the case of an incident – recover. The framework and assistance for conducting these functions are available – it’s a matter of taking the first step.