Private equity firms doing business in the state of New York must adopt cybersecurity protections to comply with new requirements issued by the New York Department of Finance. The goal of the regulations is to avoid customer data breaches and other cybersecurity breakdowns, such as the suspected hacking of Chipotle customers’ debit and credit card information and the breach that exposed AMP Futures trading account applicants.
The new cybersecurity regulation, which applies to all financial services companies in the state, went into effect on March 1. Companies have 180 days to comply with some of the requirements and up to two years to comply with all of them.
PE firms will have to show the steps they take to protect data access privileges, and how they establish a sound audit trail to track their handling of sensitive data, says Steve Durbin, managing director of the Information Security Forum, a non-profit association that offers best-practice guidance and consulting services on cybersecurity.
For many firms, the compliance burden will be more of a task of documentation than of implementing new procedures, Durbin says: “If you think about the process that PE firms tend to go through, then a lot of them will have fairly structured processes in place already. This is just reinforcing the fact that they need to be able to demonstrate that those things are in place.”
New York seems to be particularly concerned about third-party data breaches, such as data leaked from cloud computing service providers, Durbin says. Companies will have to certify that their customers’ data is secure at all times, including when it is in transit to and from the cloud and while it is stored on the cloud.
The regulation requires companies to document their due diligence and annual assessment of third-party providers’ cybersecurity practices, as well as ensure that the providers use encryption and multi-factor authentication to protect data, and that they promise to meet certain breach notification requirements in their service contracts.
“If you're using a third-party cloud provider, then you need to be having a conversation with that third party about exactly what security is in place and how that maps across what your requirements might be,” Durbin advises.
The New York regulation also requires financial services companies to adopt a written cybersecurity policy, identify potential cybersecurity risks, appoint a qualified company employee responsible for cybersecurity, train employees on cybersecurity and have the chairman of the board or a senior officer vouch for the company’s compliance.