New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.

Cyberattacks a Growing Threat for Healthcare

Because of the high value of medical records and healthcare databases to criminals, they pose ever more attractive targets. In fact, a number of reports have shown that cyberattacks are costing the healthcare industry billions of dollars annually, with a median loss of $150,000 per incident. Cybersecurity risks in healthcare have also drawn attention to the vulnerability of hospitals, clinics and other healthcare providers.

The infographic below, which is part of a series by Advisen and Hiscox, looks at:

  • The frequency of Health Insurance Portability and Accountability Act (HIPAA) violations over the past five years
  • The median loss in healthcare cyberattacks
  • The percentage increase of protected health information (PHI) losses between 2006 and 2011 for printed records, servers, laptops, desktop, website, portable data storage devices, and other sources.

It also examines which revenue groups suffered more PHI losses and the size of breaches that occurred more frequently.
cyber-hc1

The majority of losses involve printed records, which have increased to 45% since 2011 compared to 3% by email.
cyber-hc2

While some may think that the majority of breaches are large, in the past five years, almost 50% of breaches have been small, with fewer than 100 records lost.
cyber-hc3

Smaller Companies At Higher Risk of Employee Theft

While every organization is at risk of employee theft–with the typical company losing 5% of revenue to fraud each year–smaller organizations with less than 500 employees (72%) were the most targeted.

According to The 2015 Hiscox Embezzlement Watchlist: A Snapshot of Employee Theft in the U.S., of the smaller companies targeted, four out of five had less than 100 employees and more than half had fewer than 25 employees. Smaller organizations also had the largest losses, according to the survey. Financial services companies were most at risk (21%), followed by non-profits, labor unions and municipalities.

Hiscox noted steps organizations can take to minimize employee theft, adding that this is most important for small- to medium-sized businesses, which can be more impacted by theft. In fact, the survey found that 58% showed no recovery of their losses.

Perpetrators of crime include tellers, bookkeepers and office managers. There is also a wide variety of schemes that have been used. 

Five States Most Likely to See Employee Lawsuits

Businesses in California, Illinois, Alabama, Mississippi and the District of Columbia face a markedly higher risk of being sued by their employees compared to the national average, according to a study by Hiscox.

“Not only are employment lawsuits more likely in those states, but the likelihood of catastrophic verdicts is also significantly higher,” Mark Ogden, managing partner of Littler Mendelson, employment and labor law firm said in a statement. “Unlike their federal counterparts, where compensatory and punitive damages combined are capped at $300,000.00, most state employment statutes impose no damages ceilings. Consequently, employers in high-risk states must ensure that their workforces are adequately trained regarding workplace discrimination, harassment and retaliation and that policies forbidding such conduct are strictly enforced.”

The study found that a U.S.-based business with at least 10 employees has a 12.5% chance of having an employment liability charge filed against it. Businesses in several states, however, face a much higher level of exposure to litigation. California tops the list with establishments with at least 10 employees having a 42% higher chance above the national average of being sued by an employee. Other states and jurisdictions include the District of Columbia (32%), Illinois (26%), Alabama (25%), Mississippi (19%), Arizona (19%) and Georgia (18%). Lower-risk states for EPL charges include West Virginia, Massachusetts, Michigan, Kentucky and Washington.

State laws can have a significant impact. For example, the employee-friendly nature of California law in the area of disability discrimination may contribute to the high charge frequency in the state. Discrimination cases filed at the state level in California are brought under the Fair Employment and Housing Act (FEHA). FEHA applies to a broader range of businesses, covering any company with five employees, versus a 15-employee minimum for cases brought under federal law as outlined in Title VII of the Civil Rights Act, according to Hiscox.