No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

New York’s Bold Move to Improve Cybersecurity

by James Lee
September 11, 2018
in Cybersecurity, Data Privacy, Featured
shield icon on digital background

Could It Have A Bigger Impact Than More Famous Legal Siblings?

The California Consumer Privacy Protection Act and the GDPR went into effect earlier this year, and New York state is following suit; last week marked the compliance deadline for the NY DFS cybersecurity regulations. Compared to the broad provisions of the GDPR and CPPA, the New York regulation makes clear that efforts to improve cybersecurity are not an option. James Lee, Executive Vice President of Waratek, discusses.

When the history of summer 2018 is written, the chapter on data protection and privacy will be dominated by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CaCPA – aka California GDPR).  Both represent a seismic shift in how the business community manages and protects consumer information, and both – if you read the fine print – will ultimately force more action on cybersecurity.

Less attention has been paid to the September 4, 2018 compliance deadline for New York’s Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). Yet, in practical terms, the New York regulations have a far more immediate impact on businesses and greater potential to improve cybersecurity outcomes that will ultimately benefit consumers.

Privacy by Design: Protection by Default

Both the GDPR and CaCPA reference a duty to maintain security practices and procedures equal to the risk of harm to consumers. The GDPR makes it clear that security is a foundational element of data protection and requires that it be part of product and service design and execution. Likewise, the CaCPA requires organizations to have data security programs in place to protect consumer data. In both cases, having robust cybersecurity programs can be taken into consideration in enforcement actions.

The GDPR includes powerful financial incentives for ensuring your cybersecurity programs are robust and effective: fines of up to €20 million or 4 percent of annual global revenue. At the core, though, the GDPR and CaCPA are not cybersecurity laws. They are data-centric consumer protection laws that focus more on giving consumers access and control over data rather than mandating specific data protections.

The end result of both the EU and California approaches is a lot of guesswork on what meets the standard for cybersecurity protections.

New York’s Different Approach

Similar to the EU transitional approach to implementing the GDPR, 23 NYCRR 500 has been in effect since March 2017, but includes multiple deadlines. In fact, the regulations will not be fully enforceable until March 2019, when ensuring the security of third-party vendors will be required.

Other similarities include requirements for written plans, annual assessments and the appointment of an executive to oversee the programs required by the rules. In the case of the New York regulations, the appointment of a Chief Information Security Officer is required. But those broad requirements are generally where the similarities end between the GDPR/CaCPA and 23 NYCRR 500.

The New York regulations are specifically directed at protecting businesses regulated by the New York State Department of Financial Services and their customers from the impacts of cyberattacks. The provision effective in September 2018 is a good example of providing guidance and focus on an otherwise underrepresented, but highly vulnerable to attack, area of any organization: application security.

Section 500.08 Application Security.

(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

(b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

There’s a lot of punch packed into those 83 words. Terms like “shall” make AppSec mandatory while “in-house developed” and “externally developed” ensure all applications used in a regulated company meet defined standards.  Additionally, “periodically reviewed” means the actions cannot be a “one and done” practice.

A Broad View with a Laser Focus

In adopting 23 NYCRR 500, New York officials took a comprehensive view of cybersecurity, ensuring each area of concern received the focus it required.

Network protections, for example, have historically received the lion’s share of cybersecurity funding and staffing, yet known code vulnerabilities in applications are the primary target for successful attacks. Pick just about any of the high-profile data breaches over the past decade and chances are that a known flaw in an app was at the core of the attack – often a known, but unpatched software bug.

That is one of the reasons why the New York State Department of Financial Services includes a specific application security provision, one of 15 different areas of focus, including requirements for penetration testing and vulnerability assessments, audit trails, limits on data retention, training and monitoring and encryption of non-public data.

Businesses subject to the regulations only have 72 hours to report to the Commission of Financial Services any “cybersecurity event” that has “a reasonable likelihood of materially harming any material part of the normal operation(s)” of the business. While this is the most aggressive breach notice provision in the U.S., it stops short of requiring a public notice of the event within the same timeframe. In the EU, a similar GDPR requirement is driving a surge in breach notifications, according to the United Kingdom’s Information Commissioner’s Office.

Drawing Attention Outside New York

It’s highly unlikely you would be reading this article if advocates and public officials across the U.S. were not asking the obvious question: Should New York’s cybersecurity rules be a model for the rest of the country? The passage of the CaCPA in June 2018 is proof that other states are looking to address the unrelenting threat from cyber criminals in a more comprehensive way. Federal regulators are also discussing the need for more cybersecurity accountability.

The Federal Reserve Board’s vice chairman for supervision, Randal Quarles, noted in February that more action is required: “While we know that successful cyberattacks are often connected to poor basic information technology hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber events.”

What Path to Follow?

There is a delicate balance to be struck here. Regulations that are too prescriptive run the risk of preventing companies from being able to address the ever-changing attack vectors used by malicious hackers. Overly broad rules can fail to provide the guidance required to ensure the outcomes sought by the regulations – and a high level of compliance – is achieved.

It won’t take long to determine into which category 23 NYCRR 500 falls.


Tags: California Consumer Privacy Act (CCPA)CybercrimeGDPR
Previous Post

Interview: Richard Bistrong and Kristy Grant-Hart on Success in Compliance

Next Post

Preparing for an Active Shooter Scenario

James Lee

James Lee

James E. Lee is Executive Vice President of Waratek, a leading cybersecurity company based in Dublin and Atlanta. Lee is the former CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the board of the San Diego-based Identity Theft Resource Center, including three years as Chair. Lee has served as a leader of two ANSI efforts to address issues of data privacy and identity management. Lee is also a former global leader at International Paper Company (NYSE: IP).

Related Posts

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
man in red pointing handgun at camera

Preparing for an Active Shooter Scenario

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights