Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Time is running out for financial institutions to certify compliance with New York cybersecurity rules that may expose certifying officers to liability for program lapses.
Banks, insurance companies, and other businesses regulated by the New York Department of Financial Services have until Feb. 15 to attest to their compliance with the first-in-the-U.S. state rules. Individuals who sign off on the certifications may be liable if the department’s cybersecurity compliance examinations reveal compliance failures—thereby raising questions about which officers will sign.
Even though covered businesses knew the “day of reckoning” was coming, “a number of individuals at covered entities are scrambling to ensure that the requirements are operational so they can confidently sign the compliance certification without worrying about potential liability if an exam finds otherwise,” Denver G. Edwards, a principal in the securities group at Bressler Amery & Ross PC in New York, told Bloomberg Law.
The rules require covered institutions to take specific steps to protect the privacy of their consumer data, including implementing system controls and testing, setting incident response plans, adopting high-level approvals of written policies, appointing a chief information security officer (CISO), and conducting periodic cybersecurity reviews and reporting. The first deadline for having cybersecurity measures in place was Aug. 28.
Large financial institutions with mature cybersecurity programs should be in good shape for the compliance certification deadline, but smaller companies may be struggling to meet it, Rocco Grillo, a cybersecurity global leader at Stroz Friedberg LLC, a New York-based cybersecurity consulting subsidiary of Aon Plc, told Bloomberg Law.
“Some of them are in good shape, and some of them are running around with their hair on fire,” Grillo said.
The rules, which went on the books last March, cover nearly every large U.S. bank, as well as hundreds of other banks, insurance companies, and financial institutions. They’re meant to be adaptable to varied security risks, technological changes, and internal structures.
The compliance stakes rose when New York Financial Services Superintendent Maria T. Vullo announced in her recent reminder of the Feb. 15 deadline that a cybersecurity review will be included in the department’s regular safety and soundness bank examinations. That step was “long overdue,” given the global spread of cheap, potent hacking technology, Hank Thomas, chief executive of Strategic Cyber Ventures LLC, a Washington-based investment company, told Bloomberg BNA.
Steven Chabinsky, chair of the White & Case LLP global data, privacy and cybersecurity practice in New York, told Bloomberg Law that the NYDFS has said that it doesn’t plan to penalize institutions that exercise honest, good faith judgment. Chabinsky said that companies that get it wrong—and don’t get the benefit of the doubt—"can face a wide range of enforcement and disciplinary actions that could result in large fines, increased reporting requirements, and even revoked licenses.”
The rules require “the Chairperson of the Board of Directors or Senior Officer(s)" to certify that the organization is compliant with all regulations for compliance failures.
The senior officer is defined in the rules as the senior individual or individuals responsible for the management, operations, security, information systems, compliance, and risk for the business.
“Bottom line is this regulation is a first of its kind for cyber, to hold an individual’s hands to the fire when it comes to signing on the dotted line that their company is in compliance,” Steven Grossman, vice president of strategy at Bay Dynamics Inc. in New York, told Bloomberg Law.
Though it is unclear what kind of fines individuals and companies can face for non-compliance, industry professionals “generally think it will align to the penalties in the New York banking law,” which can be as high as $75,000 per violation per day, Grossman said.
CISOs will play a large role under the law, as they are required to submit annual reports and could possibly find themselves certifying their companies.
“We expect a large number of companies, perhaps the majority, will have their CISOs sign the annual certification,” Chabinsky said.
Grossman said that the responsibility of certifying compliance will increase pressure on the individual to take ownership of compliance and get a better understanding of how consumer data is protected, it will also increase personal pressure of the individual signing the certification.
“The fear of potential personal liability has led to many chief compliance officers rethinking their career path,” Grossman said.
To contact the reporter on this story: John Herzfeld in New York at email@example.com; George Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)