March 1, 2017 marked the passing of the New York State Cybersecurity Regulation by the Department of Financial Services.
Upon the announcement of the regulation, New York State’s Governor Cuomo stated, “New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks.”
The first of its kind in the nation, this new regulation serves as a valuable marker in a regulatory environment that is taking increasing care to safeguard the information of consumers and companies through a demand for increased internal controls and transparency. Though New York State is the first, it is not unlikely that other state across the nation may follow suit.
With that in mind, we at EQS Group want to help companies implement best-practice tools for their in-house record keeping and ERM. Cybersecurity is at the top of many compliance agendas and will remain so for the foreseeable future. Our global regulatory know-how and compliance tools can help you stay abreast of these new changes.
Who is Covered by This Regulation?
With the NYS Cyber Reg, your company doesn’t even have to be headquartered in New York. The regulation will apply to all businesses affected by the current New York banking, financial services, and insurance laws who operate under (or are required to operate under) a license, registration, charter, certificate, permit, accreditation or similar authorization.
As part of a desire to improve security in “supply chains”, the regulation also has a focus on vetting the third-party application and service providers that these companies use. A focus of the regulation will be requiring companies to adopt internal cybersecurity policies with set procedures on how processes, users, and data will be monitored and protected -- particularly non-public material information (NPI).
When do I Need to Comply?
Effective March 1, 2017 and divided into 16 sections, the NYS Cyber Reg has an incremental adoption roll-out over the next two years for affected companies. However, 7 sections of the regulation will require compliance within 180 days: by August 28, 2017. The areas addressed in these sections are as follows:
- Developing a cybersecurity program
- Creating a cybersecurity incidence response program
- Designating an individual to oversee the cybersecurity program (a CISO or similar title)
- Continuously training personnel on cybersecurity protocols
- Creating a framework and process by which cybersecurity issues can be reported
- Performing internal risk assessments
- Limiting access privileges
Next Steps for your Team
This Cyber Reg marks an important step within the US regulatory environment. With this regulation in effect, other states are also considering enacting similar regulations, for example, Colorado. There is a big-picture shift towards better tracking, controls, processes, and internal monitoring within companies operating in the broader financial services and insurance arena.
In addition to the elements listed above, a large element of the regulation is tracking individuals: who has access to material non-public information from within the company (and outside of it), who has access when (and for how long), who is part of teams that have access to various types of information. In addition, information logs will need to be stored for upwards of five years, in some situations.
Best Practice with EQS Group: Don't get caught on the defense
EQS Group is a leading player in the European Compliance world with its cloud-based tool, The Insider Manager. Developed for the European MAR regulation, this tool has been adopted by over 500 public companies across Europe, including giants like L’Oreal, Sanofi, and Vonovia.
The Insider Manager can help your company comply with the Cyber Reg and more generally ensure sure your company is being proactive, organized, and transparent about user access in a complex regulatory environment.
With our Insider Manager, your company can easily comply with requirements to create activity logs, user logs, access lists, and perform identity management both for internal teams and third parties. Our tool can easily import your contacts, create “teams” and projects for users, time stamp activities, and create automated reports for any regulatory requests that you may receive from FINRA, the SEC, or others. With the Insider Manager, your team can possess the tracking capability to log users and notify internal and external stakeholders of risk management issues in a timely manner. Users are notified automatically of certain disclosure requirements through a host of pre-loaded document templates and a mailing tool, and your compliance team can track when notices have been sent, when they have been acknowledged, and ask users to keep their information up to date.
Even companies not affected by the Cyber Reg could improve internal controls and risk tracking by using this easy cloud-based tool. Law firms with information walls, healthcare companies with client or trial data, and companies seeking proactive internal record keeping would benefit from this broad-reaching solution that decreases the chance of manual error, creates simplicity in record keeping, and creates assurance that your firm is seeking a gold star in internal house-keeping. Automated record generation for years of records ensures that any request is handled in a timely (and error-free) manner.
Importantly, EQS Group is also a leader in security. The Insider Manager comes with RSA token protection, and EQS Group itself is one of the most secure vendors in the industry, undergoing rigorous and constant penetration testing. As a third-party vendor, EQS Group is a leading choice for any company looking to bring the most secure partners into their corporate ecosystem.
Record-keeping and tracking information access is a challenge for many organizations. When regulatory requests come in, no one wants to be caught on the defense asking: who made the last user list? When did employee X leave the company? Access was granted to database X – but when was it cancelled? Why do so many people have access to this data set and who authorized it? Don’t be forced to sift through years of manual Excel logs and outdated user lists.
The Insider Manager is a best-practice solution for any company looking to be a leader in Enterprise Risk Management. With a solution so simple and with such wide-reaching positive implications for internal risk control, EQS Group can help your compliance team attain better workflows, security, reduce manual errors, and ultimately, peace of mind.