Bates Research - 02-22-17
Don’t Let Your Guard Down: State and Federal Rulemakers Move Forward on Cyber Security
The changing of the guard in Washington has not slowed down cyber security regulators at the national or state level. Over the last several weeks, longstanding efforts have continued apace. The New York State Department of Financial Services published final cyber security regulations mandating standards for banks and insurers. The U.S. Department of Commerce’s National Institute of Standards and Technology proposed updates to its 2014 Framework for Improving Critical Infrastructure Cybersecurity, and the White House itself prepared – and then postponed temporarily – a proposed new Executive Order.
New York Announces Final Cyber Security Rules
On February 16, 2017, New York State finalized regulations requiring banks and insurers to meet minimum cyber security standards and report breaches to regulators. State-chartered banks, foreign banks licensed to operate in New York, and any insurer that does business in New York must comply with the new regulations which go into effect on March 1, 2017. Governor Cuomo lauded the “first in the nation” rules, stating that they will protect businesses and clients from “serious economic harm.”
The Department of Financial Services (“DFS”) regulations are intended to “promote the protection of customer information as well as the information technology systems of regulated entities.” The new rules require financial firms to protect their networks and customer data from hackers and to disclose cyber events to state regulators. The rules require banks and insurers to scrutinize security at third-party vendors that provide goods and services. Further, the rules require “each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” All DFS-covered entities must annually certify compliance.
National Institute of Standards and Technology Updates Guidance
On January 25, the Federal Register issued a notice requesting comment on the National Institute of Standards and Technology ("NIST") proposed update of its Framework for Improving Critical Infrastructure Cybersecurity. The widely-respected cyber security standards and practices framework is an increasingly used reference for both governmental entities and private businesses. According to Gartner Research, the Framework is now used by 30 percent of U.S. organizations and that number is projected to reach 50 percent by 2020.
The update includes new provisions for assessing cyber security risk posed by third-party vendors, and a new section on measuring the cost-effectiveness of cyber security programs. The update includes guidance on vendor risk management in order to: (i) determine cyber security requirements for suppliers and partners; (ii) enact cyber security requirements through contracts; (iii) communicate to suppliers and partners how cyber security requirements will be verified and validated; and (iv) verify that cyber security requirements are met. The update also adds a new section “that provides proposed metrics and measurements organizations can use to evaluate the relative cost effectiveness of various cybersecurity activities.”
The proposal is NIST's first attempt to update the Framework since it was issued in February 2014, pursuant to President Obama's February 2013 Executive Order on Cybersecurity. Comments are due April 10, 2017. The final version of the update is expected in the fall of 2017.
President Trump To Issue Cyber Security Executive Order
On January 31, President Donald Trump temporarily postponed the signing of an Executive Order that would require the heads of government agencies to play a more direct role in reviewing and managing risks to networks under their control. See a draft of the proposed Order here.
As reported, the signed Order will give the White House budget office a central role in assessing cyber risks for the entire executive branch, and will require agency heads to develop plans to modernize aging information technology systems. (Note: the proposed Executive Order specifically states that agency heads shall use the NIST Framework for Improving Critical Infrastructure Cybersecurity to manage their agency’s cyber risk.) Further, the proposed Order states that private sector owners and operators of critical infrastructure will have the support they need from the federal government to guard against cyber threats. President Trump announced that he would tap former Mayor Rudy Giuliani to initiate this process.
In combination, the New York DFS final rules, the NIST updates to the Framework for Improving Critical Infrastructure Cybersecurity and President Trump’s pending Executive Order reflect continuing momentum toward the development of federal and state policy for controlling cyber security risk. The new policies suggest no let-up in the growing demands placed upon businesses and institutions to stay on top of, and in compliance with evolving requirements.