On March 1, new regulations go into effect in New York State, requiring that all regulated financial services institutions have a cybersecurity program in place, appoint a Chief Information Security Officer, and monitor the cybersecurity policies of their business partners.
It might seem a little sudden, since the regulations were only finalized a month ago. But it's actually not as bad as it sounds.
"There's a transitional period," said Brad Keller, senior director of third party strategy at Prevalent. "Everyone has six months to be in compliance."
And then, after that, the actual certification happens annually, on Feb. 15 of each year, he added.
That's when every bank, insurance company, or other regulated financial services company has to submit its statement that it has reviewed all necessary documents and reports, including those from outside vendors, and that its cybersecurity program complies with the regulation's requirements.
This first thing that firms need to do is conduct a comprehensive risk assessment, since that's the starting point for deciding how to deal with many of the previous regulations.
"For example, you have to decide how you're going to deploy encryption based on your findings in the risk assessment," he said. "You need to have documented support for why you're doing what you're doing. You're going to have to demonstrate the process you went through."
Larger enterprises with mature cybersecurity processes might already have all or most of what they need to meet the new regulations, and will just need to review everything and then pull it all together.
Other firms might have to do some work.
For example, banks are now required to scrutinize their suppliers, said Balázs Scheidler, CTO and Co-Founder at BalaBit IT Security.
"Those with remote access might be the leverage that an attacker would use to cross the perimeter, move laterally and take what they're after, as happened with the Target breach," he said.
This should already be a best practice that all firms follow.
The Federal Financial Institutions Examination Council updated its guidance on preventing banking fraud in 2011, including an explicit section on risk assessments, said Brian Laing, vice president of products and business development at Lastline.
"Most financial institutions already have in place many of the safeguards and policies outlined in the New York State regulations," he said.
New York is just the start
Individual states can have an outsize impact, far beyond their borders, like California has with its car emission and breach notification standards.
it works in two ways. First, states and countries look at what their peers are doing, and if something is working well elsewhere, they'll copy it.
"We're seeing this with a lot of other regulations," said Willy Leichter, vice president of marketing at security vendor CipherCloud. "California implemented the first breach notification law and it was quickly copied."
"There is a good chance that New York's proposed rules could become the new industry standard," said Christian Lees, CTO and CSO at security vendor InfoArmor.
And, of course, many companies do business in more than one jurisdiction. In particular, New York, as a global financial capital, touches firms from around the country, and around the world.
To make it easier for themselves, companies aren't going to try to have different processes in place for different jurisdictions, said Gerry Stegmaier, partner in the privacy and cyber law at Reed Smith LLP.
"People are going to benchmark their compliance to the strictest requirements," he said.
For example, some states require that attorneys general be notified when there's a breach, and others don't -- and a company might just decide to notify everybody instead of trying to keep track of which is which.
"The strictest state will be the driver," he said.
There can be a problem, however, if one jurisdiction has rules that contradict another.
For example, the SEC requires the retention of records for consumer protection purposes, he said. Meanwhile, residents of the European Union have a "right to be forgotten."
Those kinds of issues will need to be settled through diplomatic channels, and, until they do, companies will need to make Solomonic decisions, he said. "Businesses are being forced to split the baby, literally, because you can't follow both laws at the same time."
Next year, the General Data Protection Regulation goes into effect in Europe, as well, which could also pose some challenges.
And there's also another question that might take some time to resolve, he said.
"One of the things we're seeing is an enormous amount of tension between what is a legal requirement and what is a best practice," he said. "And if the best practice is a legal requirement -- and what the hell is a best practice. Simply because Bruce Schneier says it is, or someone in the New York Attorney General office says it's a best practice, is it really?"