Search results for: new york dfs

A growing number of states have enacted laws this year to study artificial intelligence (AI), ahead of possible legislative action to address expected threats to jobs, civil liberties, and property rights with the emerging technology. The specific goals of these committees have varied. For instance, Minnesota is studying how intelligence sharing with AI might enable law enforcement lead to civil liberty violations while North Dakota is considering how the technology could affect matters ranging from the job market to the 2024 elections. Perhaps leading the pack, Vermont released a detailed inventory of the AI currently deployed in its state government. The state plans to use this information to develop a robust AI ethics board and audit procedures to protect the rights of Vermont citizens amidst future AI developments.

Industry-specific guidance has begun to emerge as well. For instance, many state insurance regulators are weighing in on “novel data sources,” or non-traditional data points that insurers may use to inform underwriting decisions. These data sources may include everything from educational attainment to social media presence. Regulators are coming to different conclusions on the matter, though. For instance, proposed Colorado Insurance Commissioner guidance regulates motor vehicle reports and criminal history external as novel data sources, while guidance from New York’s Department of Financial Services does not. 

Businesses seeking to leverage AI’s transformative power will need to keep a close eye on these developments, and wise companies may consider proactively forming an AI governance committee.

Pretty much the only time I don’t feel like I am Chicken Little predicting a massive cyber-attack is when I am with my colleagues at the FBI, Secret Service, NSA and my students in the Brown Executive Masters of Cybersecurity who are members of the military. They don’t respond to my thoughts and fears of cyber-attacks with a cocked head or raised eyebrow like everyone else in my life.

I am concerned that at some point in the future, we will experience a massive cyber-attack that may affect critical infrastructure that we depend on every day. It will not be total and complete. There won’t be a large loss of lives. It will not affect us for a long period of time. But when it happens, it will be effective in disrupting our lives and causing chaos like we have never before experienced. It will be chaotic because we are completely dependent on technology. If our technology is disrupted, our lives will be in massive disorder.

This scenario became more real this week with the increased tensions between the United States and Iran. Iran has had sophisticated cyber capabilities for years and has been behind many cyber-attacks around the world. Sanctions have not had an impact on the effectiveness of Iranian-backed hackers, much the same as those imposed on North Korea.

I am not Chicken Little. The Department of Homeland Security warned this week of the heightened risk of Iranian-backed cyber-attacks on critical infrastructure in the United States. The New York Department of Financial Services (DFS) warned banks of the increased risk of an Iranian backed cyber-attack on the financial services industry. Other such attacks also could affect power, electricity, water, financial services, hospitals, chemical plants, schools, manufacturing facilities—you name it. How do we personally prepare for an attack that may affect those systems and services?

Preparing for a cyber-attack on critical infrastructure is much the same as preparing for a natural disaster in the face of Mother Nature. Think about what you would need if you were not able to have access to electricity or water, or not able to pay for things through your credit card or debit card or even get access to your online bank account. What would you need if cell service were not available? I often think of what I would have needed following Hurricane Katrina. But in a cyber-attack, you can’t get in your car and drive to another city or state to avoid the disaster.

Some things to consider in this time of increased threat from Iran and the warning from DHS and DFS would be to have on hand extra water, cash, non-perishable food, candles, a generator, prescription medication, a flashlight and other basic daily necessities that will help get you through a week or two of disruption. Just picture not having access to your online bank account, or the ability to use your credit or debit card or your cell phone. What do you need if the electricity is out? How would you survive “Naked and Afraid?”

Heed the warnings from DHS and DFS – examine your daily routine to determine what you would need and prepare now. That way, whether it is a cyber-attack from Iran, or a threat from Mother Nature, you will be prepared.

Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

In its July 2018 report on “A Financial System that Creates Economic Opportunities,” the U.S. Treasury Department outlined its proposals to identify improvements to the regulatory landscape to “better support nonbank financial institutions, embrace financial technology, and foster innovation.”

The Treasury Report contains over 80 specific recommendations for “Embracing Digitization, Data and Technology,” “Aligning the Regulatory Framework to Promote Innovation,” “Updating Activity-Specific Regulations” and “Enabling the Policy Environment.”

Under the heading of “Enabling the Policy Environment,” Treasury’s first recommendation is to establish a “regulatory sandbox” to enhance and promote innovation free from undue regulatory and statutory impediments.

This recommendation echoes efforts to promote new financial technology products previously announced by the CFPB and the State of Arizona. In announcing its initiative, the CFPB stated that its newly created Office of Financial Innovation will focus on “creating policies to facilitate innovation, engage with entrepreneurs and regulators, and review outdated or unnecessary regulations”.

The fact that other Federal and state regulators have their own plans for “regulatory sandboxes” highlights one of the challenges facing Treasury’s proposal to create a “unified solution that coordinates and expedites regulatory relief . . . to permit meaningful experimentation for innovative products, services and processes.” The potential rub is that the Treasury’s proposal goes on to provide that if [other] financial regulators are unable to fulfill those objective, Congress should consider preemption of state laws.

One prominent state regulator’s reaction was unequivocal. Maria Vullo, New York’s DFS Superintendent, assailed the Treasury proposal. “Toddlers play in sandboxes. Adults play by the rules,” according to Superintendent Vullo, who went on to say: “ The idea that innovation will flourish only by allowing companies to evade laws that protect consumers . . . and safeguard markets. . . is preposterous.”

Clearly the U.S. must adapt its financial services regulatory framework to compete effectively in the rapidly evolving world of financial services. New financial services breakthroughs will almost certainly be accompanied by new risks. Blockchain technology and artificial intelligence will likely drive unprecedented innovation in the financial services industry—and pose unprecedented risks along the way. 21st Century regulations must be developed to cope with these risks, as well as the current regulatory concerns with safety and soundness, consumer protection and data security.

One can debate the merits of a “unified regulatory sandbox” —but one thing is certain—cooperation, collaboration and innovation on the part of U.S. financial service regulators is essential.

Cybersecurity hit the news hard in 2016. The number of high profile, and troubling, cyber incidents increased significantly. The Democratic National Committee and one of Clinton’s top advisor’s being hacked, with leaked emails by Russia, according to intelligence reports, may have influenced the U.S. election. Theft of document from the Mossack Fonseca law firm in Panama (the “Panama Papers”) opened the window into offshore holdings of individuals and companies, and showed the high cyber risk law firms bear. A new type of Distributed Denial of Service (DDos) attack, using tens of thousands of Internet of Things (IoT) devices, took down a significant part of the US internet infrastructure for hours. Hospitals, police departments, and many companies and individuals were the subject of ransomware attacks – and many of those learned how to obtain Bitcoins to get their data and systems back. Attacks on banks using the SWIFT network resulted in over $100 million in thefts from banks, and concerns about the security of the underpinnings of the financial system as a whole. Yahoo! announced two breaches, with the second resulting in the disclosure of information on over 1 billion accounts. The National Security Agency (NSA) was reportedly hacked by a group called the Shadow Brokers (perhaps a Russian group), who stole secret NSA hacking tools and put them up for sale. Portions of the Ukrainian power grid were taken off-line in winter by a cyber-attack – for the second time. A cyber-attack against a UK Bank, Tesco, resulted in millions of dollars stolen from accounts. The list goes on and on.

Cybersecurity professionals are fighting an uphill battle. There is little to no regulation on cybersecurity. The strongly negative response by the financial services companies to the New York Department of Financial Services (NYDFS) proposed Cybersecurity Regulation shows that consistent regulation in this area is unlikely in 2017 – although a revised NYDFS Cybersecurity Regulation is expected on December 28. Critical infrastructure in the United States and around the world is at risk. For example, reports of malware on control systems that controls peortions of the energy systems and electric grid abound. The worry is that 2017 will be the year of some cyber event where some institutions are crippled, and perhaps where large numbers of people will be injured or killed. With the increase in IoT devices with poor or no security, the advances in cyber attack capabilities, including the sale of those capabilities as services (Phishing as a Service was reported in 2016), and the lack of official standards and requirements for cybersecurity, together with increased international political tensions and terrorist ambitions, the possibility of a major cyber event is increasing. The Great Fire in Boston in 1872, the Great Fires in London in 1212 and 1666, the Great Fire in Chicago in 1871, the Great Fires in New York City in 1776 and 1835, and the Great Fire in Tokyo in 1923, among others, led to substantive building and fire codes in most of the world. Many experts worry about the Great Cyber Fire.

On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.

At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.

However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.

Continue Reading The Cyber Regulation Drops

The New York Department of Financial Services (NYDFS) made history last summer when it proposed Bitcoin regulations (reportedly the first in the nation) including the requirement that financial firms handling virtual currencies or Bitcoins in New York or for New York residents to obtain a license from NYDFS.

On June 3, 2015, the NYDFS adopted the final regulations, entitled “Virtual Currencies.” The final Regulations prohibit any person or entity from conducting any Virtual Currency Business Activity without a license. Persons or entities chartered under New York Banking Law and approved by the Superintendent to engage in Virtual Currency Business Activity and merchants and consumers that utilize Virtual Currency solely for the purchase or sale of goods or for investment purposes are exempted from the licensure requirement.

The regulations have gone through two iterations with months of comments, roundtables and conferences sponsored by NYDFS. Primarily adopting the second version of the proposed Regulations, they are designed to regulate the “conduct of business involving Virtual Currency.” They require that cybersecurity policies be put in place by companies obtaining a Virtual Currency license, including identifying a Chief Information Security Officer and Compliance Officer, that detailed books and records be put in place of all customers so they can no longer be anonymous, that detailed records be kept of each Virtual Currency transaction, and to suspend accounts of any users they feel may be engaging in fraudulent activity. In addition, written compliance policies, must be developed and adopted, including “policies with respect to anti-fraud, anti-money laundering, cyber security, privacy and information security,” and such policies “must be reviewed and approved by the Licensee’s board of directors or equivalent governing body.”

The Regulations provide details on how to obtain a license and the initial application fee is $5,000 and is non-refundable. Although NYDFS is intent on regulating the new technology of Virtual Currencies, the Regulations do not provide for the payment of the application fee with Bitcoins and we suspect that NYDFS’ technology system might not be able to handle a Bitcoin transaction.

Importantly, companies engaged in Virtual Currency Business Activity must apply for a license by July 20, 2015 or will be deemed to be “conducting unlicensed Virtual Currency Business Activity,” and subject to regulatory enforcement by NYDFS. This gives Virtual Currency businesses a very short time frame to shore up policies and procedures and other requirements in order to obtain a license and comply with the Regulations.

Shortly after the discovery of a cybersecurity breach at the health insurance company Anthem, Inc., the National Association of Insurance Commissioners (NAIC) called for a multi-state examination of Anthem’s cybersecurity practices to determine what protections were in place and what actions could have been taken to minimize data losses.  The examination is currently underway and led by insurance regulators from California, Indiana, Maine, Missouri, New Hampshire, North Dakota and South Carolina.  It should be noted that while this appears to be the first large scale multi-state examination of an insurer’s cybersecurity practices, some insurance departments, such as Connecticut, have already been conducting review of an insurer’s cybersecurity policies and procedures as part of its regular examinations.

Subsequently, NAIC released for comment two draft documents on cybersecurity. The first draft document, developed by NAIC’s recently created Cybersecurity Task Force, is entitled “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the Principles).  The Principles were designed to help state insurance departments identify cybersecurity risk and establish uniform standards to protect against it. The Principles also identify ways in which state regulators and NAIC can work with the insurance industry to flag these risks and work together on meaningful solutions.

The second draft document, developed by NAIC’s Property and Casualty Insurance Committee, is NAIC’s “Annual Statement Supplement for Cybersecurity Policies” (the Supplement).  The Supplement reviews recent cybersecurity exposures.

In addition to NAIC’s multi-state examination of Anthem, and its release of the draft Principles and Supplement, the New York State Department of Financial Services (NYDFS) is also looking into insurers’ cybersecurity practices.  NYDFS recently released the results of its cybersecurity survey of insurance companies. The survey inquired about insurers’ current and future cybersecurity programs, including their use of third-party vendors.  Forty-three insurance companies responded to the survey and provided insight into existing and planned cybersecurity programs, as well as the nature of measures taken by them to safeguard sensitive data and/or to protect against loss due to security incidents.

Links:

NYDFS is the principal regulator for insurance companies operating in the State of New York, as well as certain financial entities and other financial institutions. NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.