One of the nation’s most influential state regulators on Monday (Nov. 9) proposed a series of new security requirements aimed at third-party companies involved in payments. But the letter from Anthony Albanese, the acting superintendent of the New York Department Of Financial Services, could have a chilling effect in PF development efforts, cracking down at potentially the worst time for payments startups.
The letter spoke of “the financial industry’s reliance on third-party service providers for critical banking and insurance functions as a continuing challenge” and such third-party services “often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers. A company may have the most sophisticated cyber security protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective.”
Although the letter said that “there is a demonstrated need for robust regulatory action in the cyber security space,” most of the recommendations involve fairly routine auditing and report procedures. Security requirements were also fairly routine, including items such as requiring multi-factor authentication to limit access, increased use of encryption “to protect sensitive data in transit and at rest” and the non-surprising request that gives agencies “the ability of the entity or its agents to perform cyber security audits of the third party vendor.”
One reference that is of a bit more concern is a requirement that “each covered entity would be required to immediately notify the Department of any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity.” The problem is that when such security incidents are discovered—and often for a healthy amount of time after they are discovered—entities have little reliable sense of how deep and/or effective the attack was.
This kind of a rule could have the unintended consequence of forcing third-parties to report literally every cyber security incident—regardless of how minor it may be—because there are always going to be “a reasonable likelihood of materially affecting the normal operation of the entity” if the forensic investigations haven’t been completed. How much time will entities be given to evaluate such attacks before deciding whether to report them?
The proposed new rules would also mandate some personnel issues. “Each covered entity would be required to designate a qualified employee to serve as its Chief Information Security Officer (“CISO”) responsible for overseeing and implementing its cyber security program and enforcing its cyber security policy. The CISO would also be required to submit to the Department an annual report, reviewed by the entity’s board, assessing the cyber security program and the cyber security risks to the entity.”