NY’s Proposed Cybersecurity Regulations come up Short

Christopher W. Folk

Governor Cuomo released proposed regulations yesterday through the Department of Financial Services (“DFS”) that would require Covered Entities to hire Chief Information Security Officers (“CISO”) and perform a number of other cybersecurity tasks which seems like a good step towards enhanced cybersecurity, but is it really?

First, let us examine what entities are actually covered under these new “regulations.” Under § 500.1 Definitions

Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.

A person is further defined as any individual, partnership, corporation, association or any other entity.

So take the realm of persons and entities engaged in business in New York and extract out the piece that includes: banking, insurance, and financial services and you have the business sector that would be impacted by Cuomo’s regulations.

Now that we have identified the “who” let us examine the “what.”  Under these regulations, each covered entity must develop a cybersecurity program designed to “ensure the confidentiality, integrity, and availability of the Covered Entity’s Information Systems (“IS”).” The cybersecurity program must:

  • identify internal and external cyber risks;
    • identify Nonpublic Information (“NpI”) stored by Covered Entity’s IS
    • identify the sensitivity of NpI
    • identify access to NpI
  • use policies, procedures and also defensive infrastructure to protect IS from
    • either unauthorized access; or
    • other malicious acts
  • detect Cybersecurity events;
  • respond to identified or detected Cybersecurity events to mitigate;
  • recover from Cyber events and restore normal operations and services; and
  • fulfill all regulatory reporting requirements

Furthermore, a Cybersecurity Policy must be implemented and maintained and must minimally address the following:

  • Information Security;
  • data governance and classification;
  • access controls and identity management;
  • business continuity and disaster recovery planning and resources;
  • capacity and performance planning;
  • systems operations and availability concerns;
  • systems and network security;
  • systems and network monitoring;
  • systems and application development and quality assurance;
  • physical security and environmental controls;
  • customer data privacy;
  • vendor and third-party service provider management;
  • risk assessment; and
  • incident response

Some of the other activities the Covered Entities must undertake include:

  • The designation of a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the cybersecurity program and enforcement of the cybersecurity policy;
  • Penetration Testing and Vulnerability Assessments;
  • Implementation and maintenance of an audit trail;
  • Review and limitation of access privileges;
  • Construct written procedures for in-house applications and procedures for assessing and testing commercial applications;
  • conduct risk assessments;
  • employ cybersecurity personnel and provide them with on-going training and updates related to cybersecurity
  • develop written policies and procedures with respect to IS “accessible to, or held by, third parties…;”
  • implement multi-factor authentication (“MFA”);
  • impose time limits on data retention;
  • provide and attend on-going training;
  • encryption:
    • data-in-transit: encrypt unless infeasible, in that case, use appropriate alternative controls (for up to one year after regulation becomes effective);
    • data-at-rest: encrypt where feasible, where not, use alternative control for up to five years from the date regulation takes effect;
  • develop a written incident response plan;
  • report cybersecurity events to the superintendent if affecting NpI; send yearly compliance reports as well;
  • Exemptions:
    • fewer than 1,000 customers in each of last three calendar years;
    • less than $5,000,00 in gross annual revenue for each of the last three fiscal years;
    • less than $10,000,000 in year-end total assets (calculated according to GAAP)
  • Effective date: January 1, 2017

It certainly sounds like covered entities have been given a comprehensive list of to-do’s; however, when one looks more closely it becomes clear that the devil is in the details (or rather the lack thereof).

At a very high level, one can look to previous statements by the Cuomo administration touting how business-friendly New York is and how much the Government is doing to attract and retain businesses to the Empire State.  If you then look at these regulations in the context of a business climate you must consider what the true goals of the regulations are.  If the desire is to increase New York’s cybersecurity posture and to help both consumers as well as businesses to navigate these ever-changing and difficult technical areas then you have to consider — “was there perhaps a clearer, more efficient, and more compelling approach?”  These pages and pages of regulatory verbiage make it seem as though NY is committed to improving cybersecurity, by encouraging (mandating) that certain businesses move in this direction and that ultimately this helps to protect our personally identifiable information (“PII”).

If the Administration wanted to “help” make NY more cyber-secure then working with entities and providing resources and assistance would seem a more prudent approach than simply deciding to promulgate regulations through DFS that will impact a very narrow business sector.  While the insurance, financial, and banking sector is arguably critical and replete with NpI and PII singling this sector out merely because they are licensed and can be controlled by DFS doesn’t serve the greater purpose.  The Administration should be building relationships and helping small businesses, new businesses, existing businesses to adopt sound cybersecurity policies and to be able to do so without having to bring in expensive outside expertise.  The reality is that once you couple the sectors not covered by these regulations with those that are able to exempt out, you end up with a significant number of entities and persons that have access to, use, and retention of PII and that lack the technical expertise and the resources to adequately protect this PII.

 

Issues: CISO Mandate

According to a blog by the NCX Group “The Real Reason why Organizations aren’t hiring CISOs” CISOs are often perceived as the holy grail, having a mix of technical as well as business skills, while being able to single-handedly thwart attacks, maintain a constant state of vigil in an ever-changing vulnerability paradigm and bring bottom-line value to an organization.  Furthermore, a recent article in Forbes “Top U.S. Cybersecurity Salaries Rise to $420,000” notes that the average salary for a CISO in New York City is $406,000.  Thus, even if some of these entities were to use a virtual CISO (“vCISO”) or a virtual Security Operations Center (“vSOC”) the outlay is likely to be significant and to what end?  Hiring a CISO or contracting with a vCISO is one small piece of the pie, there is still an inordinate amount of legwork required to assess the current state of Information Security, to develop protocols and processes, to implement new security controls, user training, all of these are very real and direct hits to the bottom line and if the result is that firms simply relocate across the Hudson to avoid these new regulations is that really a win for NY and for customers?

 

Issues: Third Parties

The regulations here require that NpI held by third parties doing business with the Covered Entity must include provisions within the contracts that include a number of cybersecurity provisions such as the third party must encrypt NpI data-at-rest and data-in-transit; must use Multi-Factor Authentication; third party must warrant that the service or product is devoid of any malware or other mechanisms that might impair the IS or NpI of the covered entity; and the Covered Entity shall have the right to perform cybersecurity audits of the third party service provider.

This is extremely problematic.  Consider, the case of a Covered Entity that has been using Amazon Web Services (“AWS”) for its hosting and cloud computing needs.  Once these new regulations are implemented the Covered Entity must execute a new agreement with AWS which includes the aforementioned clauses.  Unfortunately, the Covered Entity is going to be looking for a new service provider because AWS is not going to rewrite their boiler-plate contracts for a small Fortune 1000 covered entity. Even in the case of a Fortune 100 company, AWS is unlikely to execute a contract whereby they allow a customer to perform cybersecurity audits against AWS systems.  In the vast majority of these cases, the third party is not going to be on parity with the Covered Entity and is going to have an unfair bargaining position. Thus the Covered Entity will be faced with moving to a smaller third party that has some flexibility in their contract provisions, relocating these services back in-house, or will simply fail to comply.  Any of those scenarios seems replete with cybersecurity issues.

 

Issue: Encryption

Under these regulations, NpI that is deemed “infeasible” to encrypt will be exempt for a period of 1 to 5 years (1 year for data-in-transit and 5 years for data-at-rest).  First of all, the proliferation of data-at-rest-encryption (“DARE”) runs counter with the regulations that would allow data-at-rest to remain unencrypted for up to five years after this regulation takes effect.  While in-flight data which can also be encrypted by any number of either open-source or commercial means must be encrypted no later than one year after the regulations are implemented.  How does this disparity further cybersecurity goals?  What is the value of encrypting NpI while it is being transmitted and then allowing it to remain unencrypted at either end or whenever at-rest?  As someone looking for exploits, this advises the world to focus on data-at-rest knowing that there is a strong likelihood that it will be sitting around unencrypted whereas data moving through the network is likely going to be more difficult to correlate and exfiltrate.

 

Summary

If New York actually wants to improve the cybersecurity climate and remain business-friendly, then the creation of a NY-CISO and a NY Security Operations Center that is tasked with helping entities develop and adopt wise cybersecurity policies is more likely to yield positive results and a faster return on investment.  In truth, the larger entities that would be subject to the DFS regulations already have or are in the process of adding a CISO and they understand that their stakeholders demand at least basic cybersecurity hygiene.  Consequently, it is likely that all of the time and effort that went into the development of these regulations, the press releases, the “Victory for NY Cybersecurity” speeches, could have been devoted to building a team that could actually go out and assist businesses and individuals rather than just creating feel-good, do-little verbiage laden regulations [Editor’s Note: the author acknowledges that he has no data with respect to the cost incurred to develop and promote these regulations.  However, the author posits that this effort cost something and that these resources would have been better spent doing rather than drafting].

 

Consider a Different Approach

Create the NY-CISO, implement a team that will work alongside entities to help them move to a cyber-secure posture.  Help businesses across NY, not just the big businesses in New York City.  Build a cybersecurity cooperative that encourages information sharing and rewards rather than punishing businesses for initiating contact and securing PII.  Provide NY businesses with the same liability relief as businesses enjoy under the Cybersecurity Information Sharing Act (“CISA”) of 2015 (entities that share information are shielded from liability that arises as the result of a data breach).  Cybersecurity should be viewed as a basic function of the State and as such, the State should create an agency or department that is equipped with handling cybersecurity matters and is able to improve the NY cybersecurity climate in both the public and private sectors.  If we learned anything from the OPM Data Breach it is that the public sector is not, and should not be exempt from cyber-hygiene and cybersecurity policies and protocols.  The banking, insurance, and financial services industries are not the only ones that use and retain PII.  Therefore, we need to tackle cybersecurity across the spectrum and not in the myopic view of DFS’s definition of covered entities.  The goal should be to protect PII and any business that deals with PII should receive cybersecurity assistance to further the fundamental goals of the state. The cost of breaches for both consumers and businesses is enormous and it is therefore in New York’s best interest to invest in education, training, and assistance to make NY a leader in cybersecurity and a model for the Nation.  Rather than drafting legislation to mandate compliance and to determine “what” businesses need to do NY should invest in enhancing its industries which will foster increased business development and promote rather than prevent in-migration of people and businesses looking for a cyber-secure environment.