From Guidance to Compliance: What does New York’s Cybersecurity Regulation Mean?

New York State’s new cybersecurity regulation for financial institutions is meant to help safeguard companies and the industry against cybersecurity threats. It goes beyond many other regulations by, among other things, making some of the guidance and recommended best practices mandatory. Cybersecurity is already considered a material ESG risk for the financial services industry, but with the new regulation this risk is compounded with regulatory concerns.

New York’s Wide-reaching Cybersecurity Regulation

Effective 1 March 2017, the New York State Department of Financial Services – the State’s financial services sector regulator– enacted a new piece of cybersecurity regulation for financial services companies licensed by, or operating in, New York. The new regulation, entitled 23 NYCRR Part 500, imposes compliance burdens that move beyond the applicable corporate laws, by mandating certain practices that most other regulations only recommend as best practices.

Following the 180-day transitional application period that ended on 28 August 2017, the new regulation requires financial services companies to:

• Implement a cybersecurity program;
• Adopt a cybersecurity policy;
• Designate a Chief Information Security Officer to oversee the cybersecurity program;
• Establish an incident response plan; and
• Conduct annual penetration testing and bi-annual vulnerability assessments.

In relation to the above requirements, the new regulation sets out minimum standards and detailed mitigation actions companies have to take, making it far more prescriptive than most of the existing regulations. For instance, it states that the cybersecurity program is required to have an encrypted defensive infrastructure to prevent unauthorized access and a comprehensive incident response plan, which must identify the relevant decision makers as well as describe the processes for responding to a cybersecurity incident and sharing information. In other words, 23 NYCRR Part 500 does not just state that the company requires a cybersecurity program, but goes on to specify what the program must encompass.

The detailed disclosure requirements of 23 NYCRR Part 500 go beyond what we have seen in the current regulatory filings of most companies. This includes companies from different industries that we’ve identified as leaders in this field. For example, Vodafone is one of the companies that discloses the most detail about the measures it takes to prevent security breaches, but even they fail to disclose the content of their cybersecurity program, which is a requirement for financial services companies under the new regulation.

Another interesting facet of the new regulation is that it further increases the board’s responsibility. For example, the designated Chief Information Security Officer is required to evaluate the implementation of the company’s cybersecurity program and report material cybersecurity events to the board on an annual basis. The board or a senior executive officer will also need to approve the company’s cybersecurity policy. Taken together, these requirements signal that regulators are increasingly expecting the board to be more accountable for managing cybersecurity issues, which may be of interest when considering the board composition and their skill set.

Regulatory Risk: The Case of Equifax

On 7 September 2017, Equifax reported that it uncovered a serious cybersecurity breach whereby hackers had accessed the company’s IT systems between May and July 2017. The hackers stole the personal data – including social security numbers and addresses – of around 143 million people. In the immediate aftermath of the company’s disclosure, the company lost USD 4 billion in market value and its Chief Information Officer and Chief Security Officer retired. It is also facing numerous lawsuits and investigations by US state and federal authorities.

It is anticipated that the US SEC will assess the extent to which the company was aware of cybersecurity risks before the breach. If the SEC finds that the company failed to disclose cybersecurity risks adequately, it may take regulatory action against the company. The New York regulation is stricter than SEC regulation with regard to identifying and disclosing such risks. While this may help to reduce the likelihood of the risks manifesting in financial harm and regulatory sanctions, it could also mean that transgressions and non-compliance may be punished more severely. 23 NYCRR Part 500 states that affected companies must submit their first annual certificate of compliance by 15 February 2018. Non-compliance can result in civil penalties and, without there being a precedent for how all these new stringent requirements should be implemented, it could mean that companies that have been breached may now face additional regulatory risks.

While high-profile cybersecurity incidents have gained global attention in recent years, few countries have enacted as strict rule-based cybersecurity regulations as 23 NYCRR Part 500. At the same time, we are seeing regulatory bodies exercising far-reaching enforcement actions in other industries, signaling a move away from “soft law” towards increasingly stringent minimum industry standards that are legally enforceable. For example, TalkTalk was fined twice – in 2017 and 2015 for GBP 100,000 and GBP 400,000, respectively – for failing to protect customer data. Will 23 NYCRR Part 500 signal a similar trend for the financial services industry? These are important developments that investors will have to monitor closely both as they implement the new requirements and manage related ESG and regulatory risks within their portfolios.