Page 105 - Cyber Warnings
P. 105
more time-consuming process of ensuring compliance with differing and potentially conflicting
cybersecurity controls for companies operating in multiple states. The legislation of specific
cybersecurity controls is often similar to existing state standards, but with key differences. On
March 1, 2017, the New York State Department of Financial Services (DFS) mandatory
cybersecurity requirements for financial services became effective. The requirements broadly
cover all DFS-regulated entities, including, by extension, unregulated third-party service
providers to regulated entities.
This not only includes state-chartered banks, licensed lenders, private bankers, service contract
providers, trust companies, and mortgage companies, but also foreign banks licensed to
operate in New York and any insurance company doing business in New York. This regulation
delineates various minimum standards and requires a risk-based cybersecurity program tailored
to each company’s specific risk profile. Significantly, the regulation requires covered entities to
file an annual certification of compliance with the regulation and potentially significant changes
to the cybersecurity program for many institutions. Unlike existing state laws with specific
provisions, the DFS regulation requires annual cybersecurity risk assessments and specific
steps that must be undertaken with respect to all third-party service providers. It also contains
minimum standards similar to other laws, including with respect to multifactor authentication and
encryption.
Other states have recently become active as well. This may be a reaction to a perceived lack of
adequate federal legislation, weakened enforcement by federal regulatory bodies, or the
prevalence and high-profile nature of major security incidents. We have seen states step in to
fill such perceived gaps, including with the introduction (and passage) of legislation in several
states following the repeal of the Federal Communications Commission regulation expanding
privacy rules to broadband providers. Similarly, states have introduced legislation attempting to
place parameters on what a reasonable cybersecurity program must have, including what
minimum standards would be required (focusing on risk assessments, training, policies,
ensuring appropriate responsibility, and third-party service provider management).
One pending bill in California attempts to place some parameters (with respect to both privacy
and security) on connected devices. The bill, SB-327, defines connected devices as any
device, sensor, or other physical object that can connect to the Internet or another connected
device, directly or indirectly. In addition to data collection and consent requirements, the
provisions of the bill may inhibit the growth of the Internet of Things (IoT) market or make the
manufacture of IoT devices subject to the California bill difficult. The bill requires all
manufacturers of connected devices to detail the process by which a connected device
consumer can obtain security patches and feature updates for the IoT device. It is unclear how
manufacturers will be able to implement this requirement should it pass, but shows the desire of
states to regulate cybersecurity.
State legislatures are not the only state parties that have shown an increased focus on
regulating cybersecurity. For several years, the Federal Trade Commission (FTC) has been the
most active regulatory body concerning data security, investigating and entering into consent
105 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
