New York State cybersecurity regulations: Who wins?

As you probably know by now, on February 16, the State of New York’s Department of Financial Services (DFS) finalized its new cybersecurity regulations, which take effect on March 1, 2017. 

These regulations are somewhat redundant with others in the financial services industry (i.e. FFIEC, GLBA, NIST CSF, OCC, etc.) but tend to go a bit further with several specific prescriptive requirements. For example, the New York State cybersecurity regulations cover nonpublic data (rather than customer data), mandate the presence of a CISO (or third-party equivalent) and require a program for secure data destruction.

At this point, the New York State DFS cybersecurity regulations are the most stringent (civilian) rules in existence. Thus, other countries, industries and states will have a keen interest in how they roll out, what challenges they present, and how they are modified in the future. 

Beyond regulatory bodies, however, there are numerous interested parties, including cybersecurity professionals, technology vendors and service providers. This begs an obvious question: Which groups and technologies stand to benefit most from NY DFS 23 NYCRR 500? Here’s are initial 2 cents:

• NIST. The New York State cybersecurity regulations demand that covered entities “maintain a cybersecurity program” designed “to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts” (500.02). It also calls for the implementation and maintenance of cybersecurity policies approved by corporate boards. Mid-sized financial service vendors looking for solid examples of tried-and-true cybersecurity programs and policies will embrace numerous NIST models, such as the Cybersecurity framework and the NIST 800 series of publications.
• Cybersecurity professionals. DFS regulations stipulate that covered entities employ a CISO to lead cybersecurity programs. According to the recently published research report from ESG and the Information Systems Security Association (ISSA), 67 percent of organizations have a CISO in place today. This indicates that many financial services firms in New York must promote, hire or outsource this position—a requirement that won’t come cheap. DFS regulations also call for a qualified and appropriate cybersecurity staff as well as ongoing staff training.  I blogged about the training challenges related to the new cybersecurity regulations the other day, but the recruiting competition will also be intense. According to the ESG/ISSA research, 46 percent of cybersecurity professionals are actively recruited to consider another job at lease once per week!  Looks like stocks and bonds won’t be the only active market on Wall Street. 
• Security Operations and Analytics Platform Architecture (SOAPA). New York State cybersecurity regulations pose many requirements for security operations, including publishing a documented incident response plan (500.16), monitoring the activities of authorized users and maintaining audit logs. In aggregate, the DFS regulations demand advanced security operations capabilities and more security operations integration, collaboration and reporting. Addressing these needs will drive a wave of product purchases in areas such as user behavior analytics (Caspida, E8, Exabeam, etc.), SIEM (AlienVault, IBM, LogRhythm, Splunk), and other security analytics capabilities across networks, hosts and threat intelligence. This, in turn, will accelerate projects to integrate individual security operations tools into a common security operations and analytics platform architecture (SOAPA).  
• Identity and Access Management (IAM) tools. The new regulations call for the use of multi–factoror risk-based authentication “for any individual accessing the Covered Entity’s internal networks from an external network (500.12)” and as a means for protecting nonpublic data wherever it lives. This mandate will accelerate projects intended to eliminate and replace user name/password authentication, driving procurement of MFA tools and services. Look for massive deployment of mobile phone-based authentication technologies (CA, Duo, RSA, Symantec, etc.) as well as IAM services (Microsoft, Okta, Ping, etc.).
• Encryption technologies. There’s a little wiggle room here, but in general, NY DFS 23 NYCRR 500 calls for greater use of encryption for data at rest and data in flight. Vendors such as Gemalto, Vormetric (Thales), and SafeNet, as well as network security players such as Blue Coat (Symantec), Check Point, Cisco, Fortinet, Juniper and Palo Alto Networks should benefit. The New York State cybersecurity regulations may also lead to centralization of key and certificate management—something that is long overdue.

Aside from cybersecurity people and technologies, New York State’s new cybersecurity rules ought to be boon for lawyers. The DFS regulations are new, so what to do and how to do it is up for some interpretation. This should keep New York-based cybersecurity-savvy attorneys busy for some time.