The challenge of keeping organizations and people secure in cyberspace continues to grow as global hackers become emboldened by a string of successes with seemingly little to no repercussions. Regulators and lawmakers are doing their best to keep up with protecting individual’s privacy and data security as database after database is broken into and confidential information is stolen. New York government and agencies are rising to the challenge in the following ways:
Increased Privacy Protections
Recently, New York Governor Andrew M. Cuomo announced a comprehensive law that will provide New Yorkers with transparency and control over their personal data and provide new privacy protections as part of the 2021 State of the State. This law will mandate that companies that collect information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. Governor Cuomo will also establish a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.
"New Yorkers appreciate the value and convenience that technology has afforded their lives, but progress does not need to come at the expense of basic privacy," Governor Cuomo said. "In a world where we are reliant on technology to work, learn, and even see our family, New Yorkers deserve transparency and accountability from the companies who collect and use their information. New York will act to pass a strong privacy law that safeguards New Yorker's personal information and continues to encourage innovation."
Faster Reporting of Cybersecurity Incidents
In addition, on January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), which would create accelerated notification obligations for banking organizations and bank service providers in the event of a “‘computer-security incident’ that rises to the level of a ‘notification incident.’” Importantly, the Proposed Rule focuses on security events that disrupt financial institutions’ operations and not just security events that impact sensitive customer information, some of which would not be covered by the Proposed Rule.
The Proposed Rule would require a “banking organization” to notify its primary regulator no later than 36 hours after reasonably determining that a qualifying incident has occurred, and it would require a “bank service provider” to notify a banking organization immediately upon detecting that an incident materially impacting such organization has occurred. If the Proposed Rule is enacted, banking organizations and their service providers may want to consider updating their incident response plans and vendor risk management programs to address its new reporting requirements. Comments are due by April 12, 2021, 90 days from publication in the Federal Register.
The Proposed Rule provides several examples of what the regulators would expect to be computer-security incidents rising to the level of a notification incident. They include, but would not necessarily be limited to:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours)
- Widespread system outages with undeterminable recovery times at a bank service provider used by a banking organization for its core banking platform and applications
- Failed system upgrades or changes that results in widespread user outages for customers and bank employees
- Unrecoverable system failures that result in activation of a banking organization’s business continuity or disaster recovery plan
- Computer hacking incidents that disable banking operations for an extended period of time
- Malware propagating on a banking organization’s network that requires the banking organization to disengage all Internet-based network connections
- Ransomware attacks that encrypt a core banking system or backup data.
Opponents say 36 hours is a very short amount of time but advocates believe the importance of such a rapid notification outweighs the burden of rapid reporting.
SolarWinds Fallout and the Need to Report
NY DFS regulated entities must immediately report whether they have been affected in any way by the SolarWinds hack, reportedly the work of advanced state-sponsored actors, most likely Russian. This reporting requirement goes beyond the requirements of the NY DFS landmark Cybersecurity Requirements for Financial Services Companies, which generally requires entities to report attacks that may cause material harm to a material part of their normal operations.
This expanded reporting requirement demonstrates NY DFS’s serious concern that the SolarWinds hack is “active and ongoing,” and will pose significant systemic risks to the financial system beyond what is currently known, because this adversary has also “compromised organizations that were not using SolarWinds Orion.”
More generally, the alert evidences the importance of a public-private partnership, starting with enhanced information sharing in the face of these advanced threats. As companies across all industries deal with this latest breach, it is also worthwhile to recall the liability protections for information sharing that the Federal Government provided in 2015.
This a high level of proactivity by the NY DFS – they further point to the following resources worth investigating:
When determining how the breach may have affected your organization, keep in mind you should also provide notification if your institution has been notified of an impact by any affiliate who has access to your network or your nonpublic information. The Department’s cybersecurity regulation requires notice of any Cybersecurity Event that has “a reasonable likelihood of materially harming any material part of the normal operation(s).” 23 NYCRR 500.17(a)(2). Given the sophistication and persistence of the malware and the adversary, they ask any affected institution to file a notice immediately.
Addressing this far-reaching compromise will be a significant challenge for New York’s financial services industry. "The Department is committed to assisting your response and recovery efforts and is working closely with federal and state partners to provide you with actionable and timely guidance."
Any questions or comments regarding this incident should be directed here.
Protecting your organization is getting tougher but must be done to keep your business or government agency, school, state, city, etc. running.
Ask the experts at Apex Technology Services about how they can help your organization stay secure.
Rich Tehrani is CEO of RT Advisors and a Registered Representative with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). RT Advisors is not owned by Four Points.
The above information was strictly a technical/business news article/review regarding the company(ies) mentioned. The information contained should not be considered and is not a recommendation to invest in or sell short the securities of the underlying company(ies).