In the regulation — which Cuomo claims is the first of its kind in the nation — banks, insurance companies and other financial service institutions regulated by the state Department of Financial Services must, among other things, adopt a written cybersecurity policy, designate a chief information security officer and develop policies and procedures for dealing with information that is accessible to third-party vendors.
"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks and other criminal enterprises," Cuomo said in a statement. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensures that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
The regulation was proposed Sept. 13 and is subject to a 45-day notice and public comment period before its final issuance. As long as it makes it through that process, the proposal will go into effect Sunday, Jan. 1.
That doesn't leave much time for those who need to take measures to comply with the regulation's requirements.
With many large financial institutions already having multi-million dollar cybersecurity plans in place that in some well-publicized incidents have failed to protect consumers, Cuomo's regulation likely will have more of an impact on smaller local businesses and institutions.
Richard Shlotzhauer, senior vice president of information technology at Utica First Insurance, said that while well-intentioned, the proposed regulation carries with it some complications for those required to follow it.
Shlotzhauer said that Utica First already has many of the required pieces in place, including a formal cybersecurity program that measures 20 critical quality controls against the standards of the Center for Internet Security, and a five-person information technology staff led by the equivalent of a chief information security officer who oversees the needs of its 90-plus employees and 41,000 regional policy-holders.
He said Utica First attempts to reduce risk by minimizing the amount of personal data it collects — and never has had a data breach — but that it will have to devote time and money to complying with other areas of the regulation proposal such as increasing the amount of data it encrypts, adding levels of authentication and imposing stricter standards on the methods of its third-party vendors.
"There's great intention to protect the public ... but when you get into regulation, you are being regulated, and who likes that?" Shlotzhauer said. "There are things in there that we feel are issues. There are definitions that we think need to be clarified and compliance dates that need to be adjusted."
While the proposed regulation will force the insurance sector to examine areas of operation that might not have been considered before, when it comes to financial institutions — which tend to deal with more levels of sensitive data — security proves to be even more detrimental.
At First Source Federal Credit Union, which services some 40,000 members across five regional branches and holds $450 million in assets, just about every requirement proposed in the cybersecurity regulation has been scrutinized many times over.
Marketing and Communications Director Kristy Nole said no major changes will be necessary in order for First Source to comply with the regulation. She said the credit union is looking constantly at ways to improve its security in this increasingly dangerous age.
"The new reality is there is always a risk, no matter what industry or business you are in," Nole said. "You have to take steps every day to fight it. As long as we believe the government is doing right by the consumer, we will always support its efforts."
©2016 Observer-Dispatch, Utica, N.Y. Distributed by Tribune Content Agency, LLC.
