The state is on track to enacting first-in-the-nation rules about how banks respond to cyberattacks. Some say they're misguided.
New York Gov. Andrew Cuomo announced in September a first-in-the-nation regulation designed to protect the state from the growing threat of cyberattacks. The proposed rule targets the state’s financial services institutions, requiring banks and insurance companies to establish a cybersecurity program and designate a chief information security officer.
The regulation comes on the heels of what has been a banner year for data breaches, with large-scale attacks occurring at government agencies, retail companies, tech firms and health-care service organizations. Barely a week after Cuomo introduced the regulation, Yahoo announced that data from at least 500 million user accounts had been stolen by a “state-sponsored actor.” Symantec, the Internet security firm, has similarly reported that 430 million new kinds of malware were detected in 2015, a 36 percent increase from the year before.
Unsurprisingly, cybersecurity is at the top of states’ to-do lists. So far, laws have focused on regulating the exposure of personally identifiable information. In 2003, California introduced the country’s first data breach notification law, requiring companies to notify their customers and any other parties about a breach. Since then, 46 states and the District of Columbia have enacted similar legislation. But the New York proposal ratchets up cybersecurity requirements for companies in a way that has not been legislated before.
The regulation, which was subject to a public comment period that ended last month and is expected to go into effect next month, lays out a clear framework for how financial companies are to identify, protect, detect, respond and recover from a cyberattack. It sets standards that have to be reviewed regularly and requires that third-party service providers’ cybersecurity programs are evaluated. In a statement, Cuomo said the regulation will help guarantee that the “financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
The mandate could provide a model for how states might regulate other industries when it comes to cybersecurity. But are such regulations necessary?
David Thaw, an assistant professor of law at the University of Pittsburgh and an expert on cybersecurity regulations, says no. He argues that New York’s proposed regulation won’t have much of an impact on the financial sector because existing federal regulations are already effective. A 1999 federal law, known as the Gramm-Leach-Bliley Act, requires banks to develop an information security plan that safeguards the security, confidentiality and integrity of customer information. “Financial institutions are already taking information security very seriously,” Thaw says.
But Cuomo proposed the new regulations in part to target smaller financial services companies and state-chartered banks, which generally fall outside the 1999 law. The governor wants to make sure small banks have the same level of protection and are required to protect consumer data to the same level as big banks.
Still, Thaw argues that what’s really needed is a comprehensive study of information security practices to find out what works and what doesn’t. Leaders haven’t really done that yet. “Having a single big breach or several big breaches doesn’t answer the question of whether we have a problem,” Thaw says. “You have to look at why the breaches happened and you have to know if the breach occurred after just a small number of attempts or whether it occurred after billions of attempts were made. We have to figure out the failure rate first.”
Thaw says that without that information, more regulations are useless. “When you make policy decisions, you don’t want to react emotionally,” he says, referring to recent breaches. “Policies can have unintended consequences.”
This story was originally published by Governing.