The New York State Department of Financial Services has proposed a cyber security regulation that is unique in its breadth. The original proposed regulation underwent a 45-day review period, after which it was changed. It is currently under another 45-day review period pending further changes and should be published in the next few weeks.

The regulation affects all financial institutions that conduct business in New York State. The important distinction with this is that the institution need not be legally domiciled in the State. If the organization is registered to conduct business in New York State, then it is subject to the proposed legislation.

Why bother writing about this prior to the final adoption of the legislation? Since most of us in InfoSec are not attorneys, this regulation offers a rare glimpse into a process where we are the subject matter experts, allowing us to see how a regulation goes from its first draft to a finished law without too much of the legal jargon associated with many other regulations. (Have you attempted to read the 88-page General Data Protection Regulation that was adopted in the European Union? You can see a copy here, printed in the tedious-to-read 8pt. font.)

Another reason to examine the evolution of a regulation that impacts our profession is so we can see which broad ideas were reigned-in to a more manageable task and how some areas that we would love to see implemented lost some influence in the review process. In the case of this particular regulation, there is strong inferential knowledge in the evolving language.

Since the regulation contains 23 sections, I will cover some of the general sections here and follow-up with the more specific InfoSec sections in Part Two of this article.

The original regulation allowed businesses to be exempt from many of the sections of the regulation; however, the language was inclusive. A business was exempt if it had fewer than 1,000 customers over 3 years AND $5 million in gross annual revenue over 3 years AND less than $10 million in year-end assets.

The revised regulation changed those exemptions to “OR” statements and lowered the number of employees to fewer than 10 OR less than $5 million in gross annual revenue over 3 years OR less than $10 million in year-end assets. These simple “or” modifications make it much easier for a small business to be exempt from many but not all of the sections of the regulation.

One section that a small business would be exempt from is the requirement of the appointment of a Chief Information Security Officer (CISO). A larger organization must designate a CISO, and the CISO must file a report to a senior officer of the company “at least annually”. The original regulation called for a bi-annual report from the CISO. It should be noted also that the CISO need not be a direct employee of the company. I see the emergence of an entirely new business in New York: CISO-for-hire.

In the original regulation, it stated that a business (known as a “covered entity”) must “employ” cyber security personnel, require them to stay abreast of threats and countermeasures, and attend regular update and training sessions. My first response when I saw this was to wonder which credentials would be acceptable to satisfy those criteria. In the revised regulation, the word “employ” has been replaced with “utilize”, which would indicate the ability to use a third-party as the cyber security liaison for an organization.

In Part Two of this article, I will take a look at some of the more nitty-gritty InfoSec-specific aspects of this evolving regulation, including Pen Test and vulnerability scan requirements, multi-factor authentication, and encryption.