Looming N.Y. Cybersecurity Deadline Puts Pressure on Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By John Herzfeld and George Lynch

Time is running out for financial institutions to certify compliance with New York cybersecurity rules that may expose certifying officers to liability for program lapses.

Banks, insurance companies, and other businesses regulated by the New York Department of Financial Services have until Feb. 15 to attest to their compliance with the first-in-the-U.S. state rules. Individuals who sign off on the certifications may be liable if the department’s cybersecurity compliance examinations reveal compliance failures—thereby raising questions about which officers will sign.

Even though covered businesses knew the “day of reckoning” was coming, “a number of individuals at covered entities are scrambling to ensure that the requirements are operational so they can confidently sign the compliance certification without worrying about potential liability if an exam finds otherwise,” Denver G. Edwards, a principal in the securities group at Bressler Amery & Ross PC in New York, told Bloomberg Law.

The rules require covered institutions to take specific steps to protect the privacy of their consumer data, including implementing system controls and testing, setting incident response plans, adopting high-level approvals of written policies, appointing a chief information security officer (CISO), and conducting periodic cybersecurity reviews and reporting. The first deadline for having cybersecurity measures in place was Aug. 28.

Large financial institutions with mature cybersecurity programs should be in good shape for the compliance certification deadline, but smaller companies may be struggling to meet it, Rocco Grillo, a cybersecurity global leader at Stroz Friedberg LLC, a New York-based cybersecurity consulting subsidiary of Aon Plc, told Bloomberg Law.

“Some of them are in good shape, and some of them are running around with their hair on fire,” Grillo said.

The rules, which went on the books last March, cover nearly every large U.S. bank, as well as hundreds of other banks, insurance companies, and financial institutions. They’re meant to be adaptable to varied security risks, technological changes, and internal structures.

The compliance stakes rose when New York Financial Services Superintendent Maria T. Vullo announced in her recent reminder of the Feb. 15 deadline that a cybersecurity review will be included in the department’s regular safety and soundness bank examinations. That step was “long overdue,” given the global spread of cheap, potent hacking technology, Hank Thomas, chief executive of Strategic Cyber Ventures LLC, a Washington-based investment company, told Bloomberg BNA.

Steven Chabinsky, chair of the White & Case LLP global data, privacy and cybersecurity practice in New York, told Bloomberg Law that the NYDFS has said that it doesn’t plan to penalize institutions that exercise honest, good faith judgment. Chabinsky said that companies that get it wrong—and don’t get the benefit of the doubt—"can face a wide range of enforcement and disciplinary actions that could result in large fines, increased reporting requirements, and even revoked licenses.”

Financial Liability?

The rules require “the Chairperson of the Board of Directors or Senior Officer(s)" to certify that the organization is compliant with all regulations for compliance failures.

The senior officer is defined in the rules as the senior individual or individuals responsible for the management, operations, security, information systems, compliance, and risk for the business.

“Bottom line is this regulation is a first of its kind for cyber, to hold an individual’s hands to the fire when it comes to signing on the dotted line that their company is in compliance,” Steven Grossman, vice president of strategy at Bay Dynamics Inc. in New York, told Bloomberg Law.

Though it is unclear what kind of fines individuals and companies can face for non-compliance, industry professionals “generally think it will align to the penalties in the New York banking law,” which can be as high as $75,000 per violation per day, Grossman said.

Chief Information Security Officers

CISOs will play a large role under the law, as they are required to submit annual reports and could possibly find themselves certifying their companies.

“We expect a large number of companies, perhaps the majority, will have their CISOs sign the annual certification,” Chabinsky said.

Grossman said that the responsibility of certifying compliance will increase pressure on the individual to take ownership of compliance and get a better understanding of how consumer data is protected, it will also increase personal pressure of the individual signing the certification.

“The fear of potential personal liability has led to many chief compliance officers rethinking their career path,” Grossman said.

To contact the reporter on this story: John Herzfeld in New York at jherzfeld@bloomberglaw.com; George Lynch in Washington at glynch@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security