New York cybersecurity regulations may apply globally
Financial institutions around the world should consider whether their operations are subject to the NYDFS new cybersecurity regulations
It is my hope for our future that the blame for, and the costs of, cyber crime, cyber espionage and cyber warfare will fall more squarely on the offenders than on the victims, and that in doing so we will achieve greater threat deterrence
White & Case partner Steven Chabinsky, The Wall Street Journal
The reach of new cybersecurity regulations issued by New York authorities in 2017 may extend well beyond the state of New York, potentially affecting financial institutions that are not headquartered in the US, including those that operate almost entirely outside of New York and the US.
The New York State Department of Financial Services (NYDFS) put new Cybersecurity Requirements for Financial Services Companies into effect on March 1, and compliance deadlines began on August 28. Under the new rules, the NYDFS requires that its regulated entities "ensure the safety and soundness of the institution," while also protecting their customers.
The rules require covered banks, insurance companies and other financial services institutions to implement a thorough 14-point cybersecurity policy and submit an annual certification that confirms their compliance with the rules and documents necessary improvements they may need to make to their cybersecurity programs. Institutions not only have to consider "relevant risks" to their businesses but also must "keep pace with technological advances."
Although the rules directly apply only to financial services institutions specifically regulated by the NYDFS (those with operations subject to NYDFS jurisdiction), requirements may apply indirectly to financial institutions with foreign headquarters and could even affect their non-US operations.
Large enterprises typically rely on unified information technology platforms with centrally managed security to handle their global operations. If any segment of a financial institution's enterprise falls under the jurisdiction of the NYDFS, the institution's entire shared network operations may be subject to New York's regulatory review.
Building a more secure ecosystem
White & Case partner Steven Chabinsky testified about cybersecurity during a hearing of the US Senate Committee on Homeland Security and Governmental Affairs in May 2017. He called for the government to step up efforts to address the threat by prosecuting and launching countermeasures against hackers that break into private or public sector systems, and by helping to establish guidelines for digital products and services that would improve their security. These efforts would be more effective than mandating corporate security protocols, he argued.
His remarks echoed a primary message from the White House Commission on Enhancing National Cybersecurity report, which he helped to draft with 11 other security experts and technology company executives. The report stated that "to the maximum extent possible, the burden for cybersecurity must ultimately be moved away from the end user…to higher-level solutions that include greater threat deterrence, more secure products and protocols, and a safer internet ecosystem."