New cybersecurity regulations which have just come into effect
in New York will provide for specific and prescriptive requirements
for the financial services industry. The regulations (New 23 NYCRR
500) may well be an indicator of things to come in Australia, where
an increased focus is already being placed on cyber and data
security, with laws regarding
mandatory data breach notification having just come into
The New York regulations were initially released in draft in
September 2016. While many aspects were consistent with existing
cybersecurity principles, the regulations were seen to go above and
beyond the status quo. Notably, the proposed regulations dealt with
'nonpublic information' which was defined very broadly,
meaning that entities falling within the regulations (known as
'Covered Entities') were burdened with protecting a wide
scope of information. Covered Entities under the regulations
include for example, financial service providers, investment
companies, brokers and insurers.
Following a consultation period, changes were made to the
initial draft. These included a loosening of some of the more
onerous requirements. The meaning of 'nonpublic
information' was narrowed and 'risk assessments' were
provided for, which would inform the implementation of measures on
an entity-by-entity basis (rather than a one-size fits all
arrangement). The final form of the regulations came into effect on
1 March 2017 with a 180-day transitional period. However there are
some exemptions for smaller-sized companies, such as those with
less than 10 employees or those with gross annual revenue or
year-end total assets below certain amounts.
Noteworthy aspects of the final regulations include requiring
Covered Entities to implement a cybersecurity program and
cybersecurity policy which would be based on the risk assessments
that must be carried out periodically. Covered Entities also need
to appoint a Chief Information Security Officer responsible for
overseeing the cybersecurity program and policy. Qualified
cybersecurity personnel are now required to perform certain core
Significantly, Covered Entities are required to provide a signed
annual certification of compliance from February 2018. Although not
spelled out under the regulations, the effect of this requirement
is that it could potentially lead to individual liability for the
person(s) submitting the certification (being a 'Senior
Officer' or the board of directors for example) if a false
statement is contained in the certificate.
It appears that US regulators are developing a model
cybersecurity law, and as such it seems likely that the New York
regulations are a sign of things to come on the US front.
Back in Australia and further to the introduction of to the
mandatory data breach notification legislation, we are also shortly
anticipating some cyber initiatives such as an upcoming release by
the ASX of the results of its 'ASX 100 Cyber Health Check'.
We expect this will provide some insight into how some of the
largest organisations in Australia manage their cybersecurity risks
and cybersecurity incidents.
In addition, Australian Signals Directorate, the national agency
responsible for the provision of cyber security advice, recently
published their updated
Strategies to Mitigate Cyber Security Incidents. This provides
some key advice as to how organisations can prepare for
cybersecurity incidents and notes eight essential mitigation
application whitelisting, whereby only selected software
applications are to run;
patch applications, to fix security vulnerabilities in software
configuring Microsoft Office macro settings to disable
restricting administrative privileges;
patching operating systems;
multi-factor authentication; and
daily backup of important data, and securing it offline.
It's clear that a growing focus is being placed on
cybersecurity and protecting information from cyber security
threats. With an ever increasing amount of cyber-attacks and data
breach incidents, it is now more important than ever that
organisations put systems in place to mitigate the risks, thereby
placing them in good stead to prepare for any future increased
levels of regulation.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Chambers Asia Pacific Awards 2016 Winner
Client Service Award
Employer of Choice for Gender Equality
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Technology changes fast, and the digital revolution is throwing up challenges for business on a scale not seen before.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).