Are we on the verge of a new wave of cybersecurity regulations? For many years, organizations involved in healthcare,...
financial services and other industries that deal with sensitive information built compliance programs around federal laws governing their activities. Recent cybersecurity regulatory moves by New York state may foreshadow a new trend toward state cybersecurity regulations that has many IT compliance experts worried.
IT compliance experts are already quite familiar with the alphabet soup of federal regulations. HIPAA, SOX, GLBA, FERPA, HITECH and other acronyms already produce countless hours of assessments and documentation. Even the vaunted PCI DSS has national status, even though it may not be federal law. Until now, the states haven't done much outside the limited scope of data breach notification laws.
What's happening in New York?
Four years ago, Andrew Cuomo, the governor of New York state, appointed Benjamin Lawsky as the first superintendent of a little-known bureaucracy called the Department of Financial Services (DFS). He charged this new agency with the supervision of financial products and services in the state, including the banking and insurance industries. One of Superintendent Lawsky's stated objectives for his administration is "preventing systemic risk." Recent DFS actions indicate that one of the risks targeted by Lawsky is cybersecurity.
In February 2015 the health insurer Anthem made headlines when it announced a major data breach that affected the personal information of up to 80 million clients. One of the shockwaves sent out by this breach apparently reached Albany, N.Y., where Lawsky issued a press release stating: "Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyberdefenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data."
In that same release, DFS gave some indication about what aggressive moves it would take. The department committed to conduct regular cybersecurity assessments of insurance companies, issue new cybersecurity regulations, and examine the security relationships between insurance companies and their business partners. Compliance experts at insurance companies should pay careful attention to future DFS announcements and watch for draft regulations.
Insurance isn't the only industry in Lawsky's sights. In December 2014, the department also released revised examination procedures affecting banks in New York. One of the new items regulators will scrutinize is each bank's cybersecurity insurance policy. This new insurance requirement might be startling for banks that currently don't carry such insurance.
Is this the start of a trend?
IT compliance experts are watching this activity in New York with great interest. Some believe other states may follow suit, as was the case after California adopted the nation's first data breach notification law. Others think the Federal Financial Institutions Examination Council may adopt the New York cybersecurity regulations as federal practice in coming months. Whatever the eventual outcome, the recent moves in New York are likely to cause waves across the country.
Complying with a patchwork of state regulations is of particular concern to large companies doing business in many different states. Understanding the idiosyncrasies of potentially overlapping and conflicting state laws is a very unpleasant scenario that would likely result in confusion across state lines. Let's hope the federal government recognizes this and adopts standards that preempt the state regulations with a consistent, nationwide framework.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity.com and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.