New York Cybersecurity Regulations: An Important Step, but Still a Long Way From the GDPR

Posted on by Tony Kontzer

Leave it to New Yorkers to take a uniquely aggressive stand against cybercrime. Sure, the effort only protects one industry, but we have to start somewhere.

As home to the world's greatest concentration of financial services firms, not to mention the most powerful stock exchanges on the planet, New York has a lot to protect. Which is why Gov. Andrew Cuomo in 2016 directed the state's Department of Financial Services to draw up cyber regulations beyond anything any state or federal agency had ever adopted.

The regulations, which started taking effect March 1 but are being phased in over time (see a full rundown here), were the subject of a detailed report from Business Insider last month that made it clear that while regulations like New York's are overdue, they're far from enough.

But at least the regulations, which call for penalties for firms that don't comply, have financial firms starting to think about taking the initiative when it comes to securing customers' sensitive data. And perhaps, finally, they're understanding that it really doesn't matter who's fault a breach is.

"Everyone is part of our cybersecurity team," Theresa Pratt, CISO at New York-based Market Street Trust, told Business Insider. "It doesn't matter what myself or my colleagues do from a technical perspective. If I have one user who clicks a bad link or answers a phisher's question over the phone, it's all for naught."

And make no mistake, such breaches are happening more than ever. In fact, Business Insider cited an IBM report that found that more than 200 million financial records were breached in publicly acknowledged incidents during 2016, a whopping 937-percent increase from 2015.

Such statistics raise serious questions about an industry that should have long been ahead of this issue given the stakes. Instead, there's plenty of evidence that efforts to secure consumers' financial information are coming up short. For instance, a recent survey from British managed-services provider Claranet found that despite the pending May deadline to conform with Europe's aggressive new General Data Protection Regulation, 69 percent of firms admit they're not able to secure customer data effectively.

"There can be little doubt that data security is the most pressing issue facing financial businesses today, and that sound security practices are the foundation on which these organisations are built," Michel Robert, UK managing director at Claranet, recently told the Financial Adviser. "But our research confirms this is an area in which most financial institutions are failing. Thinking more broadly, the fact that almost seven in ten organisations can’t guarantee the security of their customer data is particularly concerning."

That's putting in mildly.

The good news is that New York's new regulations may be inspiring other states. In fact, Business Insider reported that more than 240 bills or resolutions governing cybersecurity have been introduced in at least 42 states, according to the National Conference of State Legislatures. Colorado and Vermont have actually introduced regulations of their own since New York's took effect.

But consider that one state enacting regulations governing a single industry is reason to celebrate in the U.S., while the GDPR governs every industry across 28 member nations of the European Union. And Matthew Waxman, a professor at Columbia Law School and co-chair of the Cybersecurity Center at the Columbia Data Science Institute, told Business Insider that it would likely take a breach with wide-ranging implications to spur such broad action here.

"It's sometimes very difficult to get the government to take action against certain threats until a catastrophe takes place," Waxman said. "But that could change very suddenly if the banking system were knocked offline or another very major disruption to everyday life affected the lives and security of citizens on a massive scale."

The goal of regulations like the ones New York has adopted is to take us beyond that, though. Reacting to breaches after they occur has proven to be an ineffective strategy; instead, the most successful security approaches today involve some kind of predictive element that gets companies out ahead of the bad guys. What consumers need is for the stewards of their valuable data to take a proactive stance in which breaches are considered unacceptable before they happen.

Maybe with New York's help, we're one step closer to making that happen.

Tony Kontzer

, RSA Conference


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community