Cyber rules in New York expand protection of data
Last week, New York State’s new cybersecurity requirements for financial institutions came into full effect, including mandatory minimum standards for protecting customer data for firms that fall under the state financial watchdog ’s purview.
But it isn’t just Wall Street giants who are being affected: Regulated financial institutions must also ensure that all third-party companies with which they do business demonstrate a minimum level of cybersecurity and report any breaches that impact their data.
These requirements have Canadian security experts taking note.
“One of the things that I found most interesting about the New York State legislation,” says Katherine Thompson, Cyber Council chair at the Canadian Advanced Technology Alliance, “is the changes that are going to impact the securing of the supply chain.”
Thompson says that while Canada’s Big Five banks — RBC, TD, Scotiabank, Bank of Montreal and CIBC — have strong cybersecurity practices in place, they are now starting to look at securing their third-party business partners as well. “What this means for small to medium sized Canadian businesses is, you may not see yourself as a risk, but the Big Five that you do business with are going to start seeing you as one. So you’re going to need to demonstrate your cyber readiness.”
Imran Ahmad, Cyber Security Practice Lead at Miller Thomson, says having regulations that address smaller businesses is a significant step forward. “The smaller financial institutions which may not have the same type of resources, the same type of focus on cybersecurity, need a bit more guidance and a bit more help. Quite frankly, they need a clear understanding of what the expectation is for them to meet those standards.”
Other specific requirements in the new regulations include mandatory multi-factor authentication for remote access to secure company networks, the obligation to assign a Chief Information Security Officer and mandatory reporting of all breaches, all things that are not yet implemented in Canada.
Thompson says regulations in Canada are not as robust as those in New York, but that cybersecurity at major banks is still very strong.
While financial oversight bodies such as The Office of the Superintendent of Financial Institutions (OSFI) and the Investment Industry Regulatory Organization of Canada (IIROC) provide guidelines, cybersecurity for all Canadian industries is currently regulated under the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA was most recently amended by the Digital Privacy Act in 2015 to strengthen cybersecurity provisions. The amendment now requires all organizations that store personally identifiable information, regardless of size, to keep auditable records of all security breaches and provide them to the Privacy Commissioner. The commissioner has also been provided with the option of imposing up to a $100,000 fine on an organization that breaches the act.
Most importantly, the amendments make it mandatory for organizations to report security breaches to the commissioner and to the individual if it is determined that the data breach would cause them harm.