Steve Tschoepe | March 5, 2018 | network safety, Part 500, 23 NYCRR, NYSDFS, Mortgage Lending, cloud-based data, Compliance Audit, Consumer Finance Protection Bureau, Compliance for Mortgage Companies, mortgage industry, mortgage business, cybersecurity, financial data security, mortgage company security, cyber security, Compliance, Due Diligence
New cyber security laws in New York mean strict accountability for businesses.
Cyber security is on the brink of an unprecedented crackdown in New York.
The finance industry is preparing for a new normal that looks vastly more stringent than before.
Part reaction to consumer outrage and part finger-pointing to the market for accountability when it comes to data breaches, the regulation titled Cybersecurity Requirements for Financial Services Companies (2017) is a broad re-draw of the rules by the state regulator.
In a country where the sector has historically played fast and loose with handling missteps, all eyes are watching to see how quickly it can adapt to the new normal.
As everyone settles in for the ride, industry insiders are already forming hypotheses about how far this new regimentation will reach.
Laying Down the Law
The new law outlining consumer data security measures in New York State is the first of its kind in the United States.
Officially released in March of 2017 with a built-in year of lag time, the enforcement date has arrived. As of Thursday February 15, 2018 enforcement is in full effect.
Financial institutions are expected to have stepped up their game in safeguarding computer systems and the sensitive information stored inside. A full guide to the highly prescriptive requirements can be found here.
The end goal is to avoiding security breaches by making businesses sufficiently fearful of repercussions. If they do foster an environment that allows for future problems or leaks of personal data, the stakes are high.
Who the Law Affects
The current law has been interpreted to include all banking, insurance, lending, and mortgage brokerage firms that are operating in New York. Every company under that heading will be held to the new standard.
This means that entities must get in gear to assess their actual and potential cybersecurity risks and make a solid plan to mitigate them.
The good news for IT departments is that due to the highly detailed guidelines about policy and the use of technology to patch up the security gaps, they have rather exact instructions to follow.
Beyond State Lines
At first glance, companies outside of New York might assume they have been spared from the harshest regulations in the country. After a closer look, it seems imminent that the change will have a wide-ranging impact.
Going forward, consumers will rely on their financial institutions to keep personal data safe. Not only are the expectations high, but the safety net sets the stage for demanding the same in other states.
Mortgage companies across the country are targeted by hackers due to the quantity of information and the quality of its use for fraud purposes. Companies outside of New York in the same industry should brace for the arrival of comparable laws on their home turf.
Out-of-state entities with branches in New York should have a response as well, even before their own states begin drafting something similar.
Vermont’s law names “securities professionals” as the intended subjects of its tighter regulations. Without specifying banks, the use of this broad term leaves the door open for enforcement with entities that may not previously fall under the state’s traditional regulation agencies.
As a global financial hub, even entities doing business in New York should consider getting the jump on re-assessing their policies as a continuity plan.
Beyond the Finance World
The effect of intensified scrutiny over cyber security practices will logically spill over to third-parties who work in the finance world and businesses who directly manage cyber security for the industry.
Fortune magazine goes one step further, predicting that ripple effect will go well beyond the financial industry. It could cover security events by any business that stores personal data “from point-of-sale to payroll providers.”
After that, it seems the industry shake-up will likely bleed into any major industry that houses consumer data using any sort of technology. These days, companies who aren’t keeping customer information in a computer system are few and far between.
The only thing the industry seems sure of is how this trend in accountability will not be contained by state lines or by industry.
In the early days of this new law’s enactment, the extent of this chain reaction is yet to be seen.
Over the next fiscal year, New Yorkers will lead the way, with countless gazes focused on them for cues of how to adapt.
Topics: network safety, Part 500, 23 NYCRR, NYSDFS, Mortgage Lending, cloud-based data, Compliance Audit, Consumer Finance Protection Bureau, Compliance for Mortgage Companies, mortgage industry, mortgage business, cybersecurity, financial data security, mortgage company security, cyber security, Compliance, Due Diligence