NYDFS cybersecurity: Concerned by incident reporting?

Even after relaxing many of its proposed terms, the New York Department of Financial Services’ (NYDFS) cybersecurity regulation was still called “one of the most, if not the most, prohibitive and burdensome cybersecurity regulations” by the National Law Review earlier this year.

One of the main reasons for this is the Regulation’s strict 72-hour notification period for reporting cybersecurity incidents. This will likely lead to organizations having to report to the NYDFS frequently, as they are required to disclose any attempt – whether successful or not – to disrupt, misuse, or gain access to the information they store.

Reputational damage

With such a high bar for compliance, many organizations could repeatedly fall short of the Regulation’s requirements. Not only will this lead to numerous fines, but the public may view financial institutions based in or operating in New York as less secure than others, creating a bad reputation that could linger for years.

This is a genuine concern for many given that news of security breaches is now more accessible than ever. Many breaches are reported in the mainstream media – not just niche outlets for those specifically looking for news of data breaches – while the Freedom of Information Act makes data breach information publicly available.

Reputational damage would likely affect smaller and community banks the most. At a public hearing last year, James Whalen, associate council at Albany-based Pioneer Bank, said:

We’re concerned that the public nature of these reports could create the false impression among community bank customers that New York State-chartered institutions are less secure than their federally chartered counterparts.

Customers could leave for this reason.

While smaller banks may be hit the hardest by this, even the largest financial institutions should take note. As has been seen time and again, an organization that is marked as a security liability can quickly lose the trust and loyalty of its customers.

For instance, in the first six months after the 2013 Target hack, the company’s profits fell by 41%, and eBay, which was compromised in 2014, admitted declining user activity in the months after it disclosed the breach.

Attempting to get around this by not disclosing a breach could lead to even larger repercussions. Not only will the financial institution have suffered a breach, it will have failed to comply with the NYDFS’s notification requirement.

Earlier this year, the Federal Deposit Insurance Corporation (FDIC), a major banking regulator, was accused of covering up a number of data breaches between 2010 and 2013. Time will tell how badly the FDIC will be affected by this breach, but it’s probably not going to be a major boon to its reputation.

Protecting your organization

Do you represent a Covered Entity under the NYDFS cybersecurity regulation? If so, you may want to consider joining us on the next webinar in our NYDFS cybersecurity series: Data privacy, security measures, and managing third-party service providers to meet compliance requirements.

Date: August 17, 2017

Time: 10:15 – 11:00 am (PST)/1:15 – 2:00 pm (EST)

Presenter: Alan Calder

An essential part of preparing for the Regulation is planning controls for the encryption and disposal of non-public information, multi-factor authentication, and monitoring third parties for compliance.

In light of these requirements, we are offering a webinar that discusses the following relevant topics:

  • How to implement multi-factor authentication with two verification measures
  • Data retention limits and the disposal of non-public information
  • Encryption of non-public information
  • Managing third-party service providers to secure non-public information

Register here >>

Have you missed the previous NYDFS cybersecurity regulation webinars? Don’t worry, you can download the slides and watch the videos here >>