Search the Site

Ransomware Attacks Put New York Cybersecurity Regs in Spotlight

No one in New York is saying “I told you so,” but as the second major ransomware attack in two months spreads around the world, the groundbreaking cybersecurity rules introduced by the state’s Department of Financial Services (DFS) are looking like a sound idea — and, possibly, like a viable model for other states to follow.

New York’s first-of-its-kind cybersecurity regulations were implemented earlier this year to combat ever-increasing cybersecurity risks. Issued by the DFS, the rules apply only to insurers and certain financial institutions — businesses that, due in part to the sensitive nature of customer data they maintain, have much at risk in any data breach. The regulations mandate that the banks and insurers subject to them appoint a Chief Information Security Officer by August 2017. In addition to requiring the appointment of this new C-suite executive, as well as periodic risk assessments and the maintenance of cybersecurity programs, the regulations require entities to:

  • Implement written cybersecurity policies;
  • Comply with governance and staffing requirements, including appointment of a Chief Information Security Officer by August 2017;
  • Limit user access privileges;
  • Install a vendor risk-management program, policies and procedures;
  • Destroy nonpublic information periodically and securely;
  • Establish a written incident-response plan;
  • Provide regular cybersecurity awareness training; and
  • Notify the DFS of any breaches within 72 hours.

Not long after the implementation of the New York rules in March, the WannaCry ransomware outbreak infected approximately 200,000 endpoints across 150 countries. Even before the latest attack, that was more than enough to underline the cyberthreat to financial institutions and insurance companies.

In its March 10-K filing, BlackRock, the world’s biggest asset manager, said “a cyberattack or failure to implement effective information and cybersecurity policies, procedures and capabilities could disrupt operations and cause financial losses that may have a material adverse effect on our business, results of operations and financial condition.” Meanwhile, MetLife acknowledged that although it has taken preventive actions to protect its IT, it may not be sufficient “to prevent physical and electronic break-ins, cyberattacks or other security breaches to our computer systems,” according to the company’s March 24, 2017 10-K filing.

Highly publicized intrusions like the current ransomware attack, and the costly resolution of previous data breaches, remind companies of the severity of risk they face from such events. Just this week, Anthem Inc., the nation’s largest health insurer, agreed to a record $115 million settlement in litigation over a 2015 breach that exposed the personal information of 79 million individuals.

The DFS rules are one state’s effort to shore up cybersecurity efforts, prevent such costly incidents from happening and speed the resolution of those that do. In April, the superintendent of DFS, Maria Vullo, made clear at a gathering of state insurance commissioners that she believes the New York regulations should serve as a model for other states to follow. As attacks become more sophisticated and widespread, her message may be gaining in appeal.

Related Articles

Google Parent Sued by Shareholders for Handling of #MeToo Allegations

In the era of the #MeToo movement, high-profile corporate executives getting sacked for bad behavior has become almost commonplace. New developments w...

IPO Traffic Jam Part of Shutdown’s Effects on SEC

As the longest federal government shutdown on record approaches the one month mark, visitors to national parks and monuments are discovering mountains...

Tobacco, Alcohol Companies Going to Pot

With the counterculture revolution in full swing, public support for legalizing marijuana in the United States hovered around a measly 10 percent of A...