Information Governance Programs to be Tested by New York Cybersecurity Laws
Information Governance Programs to Be Tested by New York Cybersecurity Laws
New York’s new cybersecurity rules, the toughest in the country, touch not just core financial institutions but many businesses involved only peripherally in financial services and healthcare. Many businesses may find that their information governance programs need to be strengthened to ensure certification of compliance with the new rules. We’ll look at how organizations can upgrade their information governance platform to ensure compliance with these far-reaching regulations.
The new New York regulations are yet another example of an ongoing trend, of regulators pushing out new regulations faster than ever and with increasing penalties for non-compliance.
The Longer Reach
The new rules affect more than just the usual suspects – national and global banks doing business in New York state. These large global financial institutions already have an extensive cybersecurity infrastructure and have certified compliance with numerous other cybersecurity initiatives, and may simply need to ensure that their existing risk assessment and certification practices are consistent with the new rules.
The New Your Division of Financial Services (NYDFS) also regulates insurers, specifically including health insurers and thus huge swaths of the healthcare industry including companies of all sizes who provide information to insurers: medical practices, laboratories and hospital facilities.
And NYDFS also regulates many smaller organizations including charitable foundations, foreign bank branches, certain types of mortgage bankers and similar companies, and providers of maintenance contracts and extended warranties on consumer products. These organizations tend to be smaller companies and may have a less-developed cybersecurity infrastructure.
These rules require third-party partners that access customer information, wherever they are located, to comply. Consequently, virtually all companies in the US who do business with covered companies in New York must determine whether they need to comply with these rules.
The New Rules
NYDFS, which regulates the financial services and insurance industries in the state, passed the nation’s toughest cybersecurity regulations in mid-September. A brief comment period closed in mid-November, and the rules take effect only six weeks later, on January 1.
The new rules require:
- A cybersecurity plan which must be reviewed annually by the Board of Directors of each organization and signed off by a C-level officer. The plan must have a specific incident response plan to deal with any cybersecurity event. Certification of the plan must be provided to NYDFS annually, including details of any potential material security breach.
- Notification of NYDFS of any material cybersecurity incident within 72 hours.
- Naming of a Chief Information Security Officer (CISO) who is responsible for compliance with the rules, and reporting to the Board of Directors at least twice a year assessing the company’s security policy and recommending improvements to fix holes or limitations. This report may be requested by New York regulators.
- Annual penetration testing of relevant information systems, and quarterly vulnerability assessments of those systems.
- Specific provisions to “log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems.”
- Six-year record retention requirements, which are longer than those required in other contexts, , potentially increasing exposure in unrelated litigation. Not only is retention longer, but prompt destruction requirements are specified as well.
- Significant third-party requirements. Third parties accessing covered customer information must certify their own cyber-security program, which covered financial and healthcare institutions must assess annually. Third party companies must notify a covered customer organization immediately of any security breach. And they must warrant that their products and services are free of “viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information.” It is important to note that third-party companies may not just be IT organizations, but may include auditors and legal firms, among others.
- Requiring specific best practices, including two-factor authentication and encryption “to protect nonpublic information in transit and at rest.”
- Significant penalties for non-compliance and significant costs to help consumers affected by security breaches, including providing identity protection services to people whose data has been compromised.
Information Governance Implications
While the obvious thrust of the new regulations is to ensure that transaction systems are secure, document and messaging systems are also obviously an integral part of compliance, and the penalties for insecure messaging infrastructure are no less than those for a core financial system.
In our view, perhaps the best way to ensure compliance of a company’s messaging infrastructure is to ensure that personally identifying information doesn’t get created in the first place. If it is created inadvertently, moving it to a dedicated archive system and out of a more easily-hacked email system as soon as possible provides a greater level of security. Organizations thus may need to consider front-end tools for scanning and classifying their documents in real time.
Companies will need to ensure that their existing products can secure information “in transit and at rest.” Unfortunately, meeting this requirement may require an upgrade to a different archiving or information governance platform because it may be difficult for an existing insecure provider to add security for information at rest if it’s not already built into the product. While the thought of the migration is unpleasant for IT organizations, the risks of noncompliance with these regulations is far more unpleasant to the organization as a whole. Fortunately, there are information governance platforms available, including those from Capax Discovery, that make migration to a next-generation IG platform straightforward.
In case of a cybersecurity incident, companies will need to be able to assess the scope of the breach of customer information faster than ever before. Because of the need to provide identity theft protection to the specific customers affected, companies will need to be able to assess exactly what data was stolen, even in the face of a skilled hacker attempting to cover his tracks by deleting messages involving customer information.
Most importantly, companies will need to look at their information governance operation in detail to certify compliance to the Board of Directors. They may discover significant holes in information governance, requiring immediate investment in moving to a more comprehensive information governance strategy than they now have in place.
And given the time needed to achieve compliance with specific requirements of these rules, it may be appropriate for companies to consider upgrading their information governance platform to accommodate all emerging requirements at once. It may be too risky and too expensive to wait for a legacy archive system to gain that only specific features for these regulations, but the entire range of features needed to comply with the ever-widening scope of regulatory requirements.
The new NYDFS cybersecurity regulations are a catalyst for many companies to reevaluate their information governance and archiving platforms. While the largest global financial institutions may already be substantially in compliance with the new rules, smaller and more specialized firms, especially those in industries not typically subject to such stringent regulation, may find their infrastructure fatally flawed.
Thus, reevaluation of cybersecurity of information governance platforms may shortly turn into a full-blown replacement cycle as many companies discover that their existing systems are not capable of meeting requirements that come on line in only a few short weeks. Replacement may be the only option.
Capax Discovery’s CAS suite is a modern information governance platform that not only meets the specific technical requirements of the new NYDFS regulations, but helps meet a broad swath of emerging needs. Our machine learning technologies, optionally boosted by unique hardware acceleration, give companies the tools they need to understand their data faster than ever, to make better decisions on using that data, and to meet more rapidly changing compliance requirements than ever before.
Contact us, for more information on how we can help you to more effectively and securely utilize all of our solutions, services, and products.