New York Increases Cybersecurity Rules for Financial Companies

Another example of a large and influential state doing things the federal government won’t:

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.

In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

Tags: , , , ,

Posted on November 3, 2023 at 7:01 AM20 Comments

Comments

David in Toronto November 3, 2023 10:18 AM

New York has always had a special place in many regulations (e.g. Insurance). The ongoing value as other jurisdictions mature is often debatable, but sometimes we need trailblazers.

Go NY!

Philter November 3, 2023 11:01 AM

“a large and influential state doing things the federal government won’t”

well, there are supposed to be rational limits on what State and Federal government can command private businesses and citizens to do or not do.
These formal limits are known as Constitutions, apparently an archaic term these days.

There is no constitutional authority for issuing such Cybersecurity commands and rules upon the populace.
And the government itself has a horrible Cybersecurity record — those bumbling politicians and bureaucrats are in no position to advise anybody on Cybersecurity.

Doug November 3, 2023 11:05 AM

I did a quick check and it seems that the law left out one very important and necessary bit. Penalties for failing to meet the requirements are not specified. Until companies are fined to the point of losing significant profits, nothing is going to change. I’d go so far as to say that the entire C suite and board needs to be whacked so hard they have to downsize their homes and sell their yachts and then force terminate the entire lot.

My identity has been compromised multiple times through no fault of my own; Equifax, Anthem, my company’s HR system, bank tapes stolen from a processing center, Target, etc. Every time I get a ‘We are so sorry, no clue what happened but we’re on it and here’s free credit monitoring for a year or $5 for your troubles’. F&^& that s&^%% and the laws that let these companies laugh while pocketing huge profits. Hit ’em. Hit ’em HARD.

Clive Robinson November 3, 2023 11:28 AM

@ Doug,

“I’d go so far as to say that the entire C suite and board needs to be whacked so hard they have to downsize their homes and sell their yachts and then force terminate the entire lot.”

You are aiming at the monkey on the organ, not the organ grinder.

You should put the cross hairs on the major share holders and Venture Capitalists who are actuall the “directing mind” and use the board and C suite as “front men”.

As the saying goes “follow the money”.

Oh and it should not just be forced down sizing, spending time in jail based on a simple basis of how long it would take to earn on the average wage, what they have effectively embezzled or are trying to embezzle might have a moderating effect and keep them out of further such behaviours.

The real problem is such embezzlers will just find abother way to arms length themselves through idiots who tgink they can game their way out.

jimbo November 3, 2023 3:45 PM

Philter, the tenth ammendment to the US Consitution,
“The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” plainly gives rights to the state to do so.

ResearcherZero November 5, 2023 5:20 AM

@Philter

It’s your data that these companies hold and profit from. And it’s your data that criminals profit from when they get their hands on it. Probity and Compliance are an important part of a company’s obligations in order to conduct business.

“He has two parents that are compliance lawyers.”
https://www.seattletimes.com/business/sam-bankman-frieds-wild-rise-and-abrupt-crash/

Less than 20% of the 147 firms that listed on the ASX over the 2020–21 financial year mentioned cyber security in their first annual reports…

‘https://www.australiaunwrapped.com/australian-companies-failing-to-report-on-cyber-security/

Companies now face a fine of $50 million for “serious or repeated” privacy breaches.

“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties.”
https://www.smh.com.au/business/companies/watchdog-takes-aim-at-company-directors-over-cybersecurity-20230918-p5e5h9.html

Not one Australian company has been fined [yet] despite 1,748 data breaches in 2 years

‘https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications

Over two-thirds of Australian organizations suffered a ransomware attack between 2019 and 2020, and of these victims, 33% paid the ransom.
https://www.upguard.com/blog/should-australian-businesses-pay-ransoms-to-cybercriminals

ResearcherZero November 5, 2023 5:39 AM

The contemnor holds “the keys to his prison”. A list of things to fail at:

‘https://www.jdsupra.com/legalnews/bsa-compliance-fails-go-to-jail-a-new-65792/

ResearcherZero November 5, 2023 6:07 AM

@Philter

100 Other Reasons to Meet Compliance Obligations

“80% of S&P 500 companies pay their CEO over 100 times more than they pay their median worker. That means it would take 100 years for the average employee at one of these companies to earn what their CEO makes in a year.”

CEO compensation has grown 1,322% since 1978, while typical worker compensation has risen just 18%.

By the EPI’s calculations, the CEO-to-worker pay ratio was 20-to-1 in 1965 and 59-to-1 in 1989.

‘https://ips-dc.org/wp-content/uploads/2019/09/EE19-Sept-2019.pdf

Preferences may be limited and strongly influenced by the actual institutions and environment in which they are located, as well as by the results of previous choices.

(Adaptive preference formation is the unconscious altering of our preferences in light of the options we have available.)

Philter November 5, 2023 9:45 AM

@ResearcherZero :

… your base assumptions on this government-regulatory issue are incorrect.

First, you somehow assume that government politicians & their employees automatically poses more Cybersecurity expertise than is available to private business & citizens.

Second, you somehow assume that people with a government job title are automatically selfless, honest and diligent protectors of citizens’ private Data & legal rights.

(… whereas the people running private businesss are assumed to often be greedy exploiters of their customers, uninterested and dangerously lax on Cybersecurity)

Third, you somehow assume that American law readily permits unelected & unaccountable regulatory bureaucrats to issue direct commands to private business & citizens … at the whim of those government bureaucrats.

Winter November 5, 2023 11:53 AM

@Philter

the people running private businesss are assumed to often be greedy exploiters of their customers, uninterested and dangerously lax on Cybersecurity

Actually, they are obliged by law to pursue every legal strategy that maximizes shareholder value. If it is legal and profitable, they are required to do it.

They are only allowed to pursue cybersecurity when their shareholders demand it, if it maximizes shareholder value, or is a legal requirement.

Look at Amazon. They will do the least legally possible to protect the health and life of their employees. The same for the meat packing industry. During the pandemic most employees contracted hundreds of their employees died unnecessarily because not protecting them was more profitable.

[1] ‘https://edition.cnn.com/2022/05/12/business/meat-companies-investigation-covid-response/index.html

‘https://themarkup.org/working-for-an-algorithm/2022/02/10/data-provided-by-amazon-workers-offers-rare-glimpse-into-covid-cases-in-california-warehouses

‘https://themarkup.org/working-for-an-algorithm/2022/06/09/an-amazon-warehouse-workers-life-turned-upside-down-after-she-was-hospitalized-for-covid

ResearcherZero November 6, 2023 12:00 AM

@Philter

I also assume that there is a law that you have to drive in the right direction, in the appropriate lane, at an appropriate speed, while not drunk.

I also assume that following regulatory guidelines will assist in avoiding M.A.E.D.

‘http://www.rand.org/content/dam/rand/pubs/occasional_papers/2011/RAND_OP344.pdf

“…as low global interest rates trigger more investment, those inflow surges benefit entrepreneurs by raising their returns, while lowering household earnings on bank deposits within the countries. The potential impact on income inequality provides another reason beyond financial stability for resisting abrupt surges in capital inflows.”

https://www.frbsf.org/economic-research/publications/economic-letter/2021/march/capital-flow-surges-and-rising-income-inequality/

External liabilities are riskiest when they generate currency mismatches—when external debt is in foreign currency and is not offset by foreign currency assets or hedges.
https://www.imf.org/en/Blogs/Articles/2022/03/30/blog033122-why-the-imf-is-updating-its-view-on-capital-flows

Global economic policy uncertainty risks in emerging and developing economies.

‘https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0275249

ResearcherZero November 6, 2023 6:42 AM

@Philter

First, you somehow assume that government politicians & their employees automatically poses more Cybersecurity expertise than is available to private business & citizens.

Second, you somehow assume that people with a government job title are automatically selfless, honest and diligent protectors of citizens’ private Data & legal rights.

(… whereas the people running private businesss are assumed to often be greedy exploiters of their customers, uninterested and dangerously lax on Cybersecurity)

Third, you somehow assume that American law readily permits unelected & unaccountable regulatory bureaucrats to issue direct commands to private business & citizens … at the whim of those government bureaucrats.

I’ve spent more time in court fighting people from the government than you could likely ever comprehend. They are not all bad, just like the rest of society. Where they worked had no impact on what kind of people they were. Some were, and still are, just bad.

Sometimes that particular legal system operated far from normally (really corrupt), and sometimes it didn’t. Sometimes people were murdered, and sometimes they survived. Sometimes it was really, really ugly …and sometimes it wasn’t. Though it was very, very unusual.

Sometimes I was killed (murdered), and the revived (obviously). And sometimes a lot of other people were killed (friends and colleagues). Other times none of that stuff happened and it was completely and utterly normal. There was singing, and there was dancing, and then it was …back to the meat grinder.

I might have even been a businessman myself, also worked for the government, and occasionally spent time in something that looked like a giblet and intestine factory.

And now some of those bad people are in prison. Though it took 40 years. Some are not.

ResearcherZero November 6, 2023 7:15 AM

@Philter

Instead of stopping people who were selling our secrets, I sometimes was instead rescuing children who were kidnapped and held hostage by people who worked in government jobs.

They kept being set free – as two of the prosecutors were corrupt, a couple of cops and detectives, a judge who was one of the worse child predators in the state, and a couple of other people in various departments. I had to pursue them through the courts myself. The same courts where the very same prosecutors and the judge worked. Many of the other judges were decent and very fine people, but you don’t always get the judge you would like.

Because the cases all involved minors, they put gag orders in place and it all took place in closed courts. That largely prevented any reporting from the media.

Anyway, they were very prone to using bullets and explosives on occasion, which is never a pleasant reality to have to accommodate. Consequently, there were not many volunteers willing to assist, and witnesses often had a strange aversion to appearing in court.

Strangely not many people wanted to get involved with solving the problem. Politicians, bureaucrats, or members of the public. Not even the parents of the very children who were kidnapped. Not the police, not the law society. Not the media. No one was very keen.

Not that avoiding court improved the chances for witnesses and victims. They have continued to die at a significantly higher rate than normal.

ResearcherZero November 6, 2023 7:33 AM

@Philter

Though the police did continue to call and ask me to rescue hostages for them, and I rarely turn down a chance to be shot or stabbed.

ResearcherZero November 6, 2023 8:27 AM

@Philter

Inevitably such cases always involve financial exploitation, blackmail and money laundering. Corruption is a weak spot for espionage…

It involves many of the same elements, sometimes some of the very same people. Some who may not be aware of just what they are getting themselves involved in. They do get warnings.

“Since authoritarian trends pushed the world into a rule of law recession in 2016, the global downturn has affected 78% of countries, the latest Index shows. This and other authoritarian trends continued in 2023, but they are slowing, with fewer countries declining in 2022 and 2023 than in earlier years.”

‘https://worldjusticeproject.org/news/wjp-rule-law-index-2023-global-press-release

Declines in the functioning of justice systems are now spreading, with more countries struggling to provide people with timely, affordable, and accessible justice.
https://worldjusticeproject.org/sites/default/files/documents/WJP_Measuring%20the%20Justice%20Gap_final_20Jun2019_0.pdf

Jos November 6, 2023 8:41 AM

That’s also part of what the EU Digital Operational Resilience Act tries to achieve.
What makes the US legal landscape that different from the EU that they bring this to state level instead of national level?

ResearcherZero November 6, 2023 11:00 PM

@Jos

Probably the EU has a more central and cooperative approach. A lot of representatives are already located in Brussels, and that likely makes it easier for discussion that leads to a more unified approach. Perhaps easier to also raise objections and modify the solution so that it is more appropriate for all interested parties.

In the US, doing it at state level may avoid a lot of political obstacles that exist at the federal level.

Management Is Not Security

When cyber security incidents began in the 1990’s, many managers were not even interested.
Sys admins had a different perspective, but they were not high on the manager’s list of priorities. The only priority of mangers was if the system was working or not.

Nation states were breaking into the networks and the managers often replied that they would call if and when they needed assistance. Sometimes other ways needed to be found to evict the intruders, when managers failed to act. Getting hold of the admin was a more productive route when possible, as you could instruct them how to identify, remove and evict.

“P**s off,” to quote a telco manager. Banks didn’t even act when money was stolen.

Eventually some states began to introduce legislation covering a few basic requirements, such as the reporting of breaches, while waiting for national guidelines.

Most of the incidents that become public are more recent events…

“A memo sent to MPs said a Trojan virus had penetrated Parliament’s Information Technology network, forcing computers and phones to be isolated.”
https://www.abc.net.au/news/2016-02-17/cyber-security-breachwa-parliament-knocks-out-communications/7176570

“At about 5.40pm on March 4 (2021), the Australian Cyber Security Centre notified WA Parliament of unusual activity on its Microsoft Exchange mail server, which handles sensitive parliamentary emails.”
https://www.watoday.com.au/national/western-australia/wa-parliament-confident-sensitive-data-safe-after-hack-linked-to-china-group-20210317-p57bl9.html

Thousands of Australian servers are believed to have been affected by the hack, although the federal government has not publicly identified any of the organisations or businesses hit…

“While this offender was sophisticated enough to compromise the networks, it was not sophisticated enough to remain undetected.” – funny quote
https://www.smh.com.au/national/farewell-tech-utopia-how-governments-are-readying-the-web-for-war-20190218-p50yhh.html

ResearcherZero November 8, 2023 12:16 AM

Laws governing incident response do not require that an authority steps in, but that they can step in the case of a major unresolved issue, (when someone makes a request for instance), if needed.

Jos November 8, 2023 2:39 AM

@ResearcherZero

Thanks for response, I understand the difference a little better now.
Still need to get used to the difference in approach between state and federal legislation in the US and the domestic and federal legislation in the EU.
I’m not an expert in law, so things which make sense for me might not in US context.

On your other post, about the ability to step in, that’s what I’m seeing with DORA legislation as well. They are trying to identify systemic risk in the financial sector, where systemic risk is not the already regulated parties, but in this case ICT providers of services which many in the industry use. Microsoft/Amazon as cloud providers are obvious, but also the SWIFT network providers and companies such as DTCC where it comes to trade confirmation (DTCC as central clearing party is already regulated, not sure about trade confirmation).
In these cases EU can bring such providers under the stricter financial regulation (or something similar) to reduce the risk on such a provider.
This also involves getting those responsible for contracting such providers to become aware of the risk and be accountable. The same goes for the internal ICT risk, although the risk for a bank is different than for let’s say an insurance company.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.