Beginning this year, financial and insurance companies in the state of New York will have to comply with some of the country’s most stringent and far-reaching cybersecurity regulations. In September, Governor Andrew Cuomo announced the new rules, which are meant to protect consumers, companies, and our financial infrastructure from the growing threat of cyberattacks. The regulations in their final form address a number of topics mainly focused on how a firm is organized and equipped to respond to cyber threats. For example, they require covered entities to implement cybersecurity programs and policies, employ a Chief Information Security Officer, provide cyber awareness training, assess and manage risk, and employ technical measures like multifactor authentication. Though the regulations mainly pertain to how a company ought to secure itself against hackers, the wide scope of these new rules—all financial and insurance institutions in New York state are covered—means that there are certainly implications for individual privacy as well. Of note, provisions pertaining to encryption, data retention, access privileges, and incident notification and response will benefit firms and clients alike.
Encryption is a security tool that directly promotes privacy. Strong encryption algorithms secure data both at rest and in transit from the prying eyes of hackers. While encryption as a practice is generally recommended, it is especially critical in industries that regularly interact with personally identifiable information (PII). New York’s financial and insurance firms handle the PII of millions of clients, and it would be irresponsible to insecurely store and transmit that information. Recent events have demonstrated that data breaches are injurious to firms, but the affected individuals will also face threats of fraud, theft, and so on. A regulation requiring encryption of nonpublic data handled by financial and insurance firms will benefit those firms, despite the associated short-term costs. In the long term, individuals’ trust in the firms will grow. Thus, the rule benefits both the firms and the individuals.
The new regulations also require firms to periodically dispose of any client data that are no longer necessary for business operations. This rule would appear to place a burden on firms, but it actually benefits both firm and individuals. Without this rule, a firm would likely forgo such a policy and adopt the role of data custodian. The custodial approach is expensive in the long term and unnecessarily places individuals’ data at risk. As more client data accumulates, it becomes more difficult to control that information and ensure its integrity. Hence, it would benefit all concerned parties to require that firms properly dispose of irrelevant client data. Storage costs will decrease for the firm, and individuals will have greater control over retained data.
For the data that is retained, it will be incumbent upon firms to ensure only authorized employees have access. The new regulations specify that the principle of least privilege must be observed by firms. The guiding belief is that the fewer people with access to PII, the better from a privacy perspective. For example, there is no reason why a firm’s CEO would need access to clients’ account details. It would be reasonable, then, to limit her access to that PII by segmenting the network and enforcing least-privilege access. The regulations go one step further to make review of user access a periodic requirement so that potential attack vectors are closed when authorized users’ access privileges change.
In the absolute worst case, the new regulations compel firms to notify regulators within 72 hours of a substantial cyberattack. Firms are also required to maintain an incident response plan that details how affected individuals should be notified and assisted. Firms obviously have a market incentive to ensure incidents are resolved quickly to maintain their bottom line. More significantly, the regulations now codify firms’ ethical responsibility to notify individuals of data breaches. Although incident notification and response are inherently reactionary, these policies should allow individuals to invest more trust into firms. In the event that a breach occurs, firms and individuals will be able to work together to quickly resolve the issue.
The new regulations were designed in response to the types of breaches that have affected JP Morgan, the Bangladesh central bank, and others: Relatively simple in sophistication but potentially disastrous in consequences. While security and privacy are often at odds, in this particular case, the security standards imposed on firms also protect individuals’ privacy. As a major world financial center, New York’s prominence will likely make it a trendsetter with regard to cybersecurity regulations. It is probable, then, that the protections afforded to consumers with these new security regulations will also advance individual privacy elsewhere as well. The regulations may be somewhat costly in the short term, but they should foster confidence in two intrinsically risky industries, which will be beneficial in the long term.