While information governance has been a best practice in cybersecurity, outside of the Federal government and Sarbanes-Oxley financial reporting requirements, for the most part, regulations have not required information governance. That is rapidly changing. The New York Department of Financial Services new cybersecurity regulation has intensive information governance requirements that go beyond personal information. the European Global Data Protection Regulation also has significant information governance requirements. This session will discuss some of these regulatory requirements and where regulation is going in these areas.

2. Richard M. Borden

4. • Cyber crime costs $400 billion annually – Lloyd’s
• Global cyber insurance uptake growing 21% annually
• $2.5 billion in written cyber premiums in 2016
• Rating agencies now addressing cyber-maturity in credit ratings
• Cybersecurity is dominant risk for CEOs
• 70% view it a major threat
• $3 trillion market value destroyed in 2015
• “Top 5” risk likelihood – 2017 World Economic Forum
• Most companies remain unprepared:
• Only 58% of companies have resources to comply with security regulations
• 1.5 million InfoSec job shortage by 2019
• Only 21% of companies at “mature” stage
• Only 1/3 of corporations have a data breach response plan
The Cybersecurity Backdrop

5. New York 23 NYCRR 500 - The Significance
• Billed as a “first-in-the-nation”
regulation concerning
cybersecurity
• Arguably the most stringent
broadly applicable cyber
regulation in existence
• Goes beyond other data privacy
and cybersecurity regulations,
including the Graham Leach Bliley
Act
• Covers information and systems
that do not include, store, process
or maintain PII
• Requires new compliance
processes and is built around the
Risk Assessment
• Likely modification and expansion
of existing protocols to meet
regulatory requirements
• C-Suite must personally certify
compliance with the Regulation
on an annual basis

6. • Each Covered Entity shall maintain a cybersecurity program designed
to protect the confidentiality, integrity and availability of the Covered
Entity’s Information Systems.
• The cybersecurity program shall be based on the Covered Entity’s Risk
Assessment and designed to perform the following core cybersecurity
functions:
• identifyandassessinternalandexternalcybersecurityrisksthatmaythreatenthesecurityor
integrityofNonpublicInformationstoredontheCoveredEntity’sInformationSystems
• usedefensiveinfrastructureandtheimplementationofpoliciesandprocedurestoprotectthe
CoveredEntity’sInformationSystems,andtheNonpublicInformationstoredonthose
InformationSystems,fromunauthorizedaccess,useorothermaliciousacts
• detectCybersecurityEvents
• respondtoidentifiedordetectedCybersecurityEventstomitigateanynegativeeffects
• recoverfromCybersecurityEventsandrestorenormaloperationsandservices
• fulfillapplicableregulatoryreportingobligations
The Main Requirement – 500.02

7. • InformationSystemmeansadiscretesetofelectronicinformationresources
organizedforthecollection,processing,maintenance,use,sharing,disseminationor
dispositionofelectronicinformation,aswellasanyspecializedsystemsuchas
industrial/processcontrolssystems,telephoneswitchingandprivatebranch
exchangesystems,andenvironmentalcontrolsystems.
The Main Requirement – 500.02 (cont.)

8. • NonpublicInformationshallmeanallelectronicinformationthatisnotPublicly
AvailableInformationandis:
• BusinessrelatedinformationofaCoveredEntitythetamperingwithwhich,orunauthorizeddisclosure,
accessoruseofwhich,wouldcauseamaterialadverseimpacttothebusiness,operationsorsecurityof
theCoveredEntity
• anyinformationconcerninganindividualwhichbecauseofname,number,personalmark,orother
identifiercanbeusedtoidentifysuchindividual,incombinationwithanyoneormoreofthefollowingdata
elements:(i)socialsecuritynumber,(ii)drivers’licensenumberornon-driveridentificationcardnumber,(iii)
accountnumber,creditordebitcardnumber,(iv)anysecuritycode,accesscodeorpasswordthatwould
permitaccesstoanindividual’sfinancialaccount,or(v)biometricrecords
• anyinformationordata,exceptageorgender,inanyformormediumcreatedbyorderivedfromahealth
careprovideroranindividualandthatrelatesto(i)thepast,presentorfuturephysical,mentalorbehavioral
healthorconditionofanyindividualoramemberoftheindividual'sfamily,(ii)theprovisionofhealthcareto
anyindividual,or(iii)paymentfortheprovisionofhealthcaretoanyindividual
The Main Requirement – 500.02 (cont.)

9. Information Governance Implications
• What systems are considered
“Information Systems” that must be
protected under 500.02?
• What is “Nonpublic Information” that
is not Personal Data/Personally
Identifiable Information?
• The Regulation required new types
of system and data classification.
• It is critical to know what systems
house, process and access
Nonpublic Information.
• Written Data Governance Policies
and Procedures are required to be
part of the Cybersecurity Policy,
which must be approved by Senior
Officer(s). 500.03(b)
• The Risk Assessment, which is the
basis of the Cybersecurity Program
and the related Policies and
Procedures, requires written criteria
for assessment of the Program
including adequacy of controls.
500.09
• There are requirements to dispose
of Nonpublic Information. 500.13
• Systems must be maintained that
“are designed to reconstruct
material financial transactions
sufficient to support normal
operations and obligations….”
500.06

10. • The Regulation requires a Covered Entity to submit to DFS a
written Certification of Compliance by February 15, 2018
• The written statement would require the signature of the
Chairperson of the Board of Directors of the entity or named
Senior Officer(s) (i.e. CEO or committee) certifying that such
person has reviewed documents, reports, certifications and
opinions of such officers, employees, representatives and
outside vendors
• Similar to a Sarbanes-Oxley 404 certification
Annual Compliance Certification

12. EU Global Data Protection Regulation (GDPR)
• The EU General Data Protection
Regulation (GDPR) replaces the Data
Protection Directive and was designed
to harmonize data privacy laws across
Europe, to protect and empower all EU
citizens data privacy and to reshape
the way organizations across the
region approach data privacy.
• The GDPR not only applies to
organizations located within the EU but
it will also apply to organizations
located outside of the EU if they offer
goods or services to, or monitor the
behavior of, EU data subjects. It
applies to all companies processing
and holding the personal data of data
subjects residing in the European
Union, regardless of the company’s
location.
• Organizations can be fined up to 4% of
annual global turnover for breaching
GDPR or €20 Million. This is the
maximum fine that can be imposed for
the most serious infringements e.g. not
having sufficient customer consent to
process data or violating the core of
Privacy by Design concepts. There is a
tiered approach to fines e.g. a
company can be fined 2% for not
having their records in order (article
28), not notifying the supervising
authority and data subject about a
breach or not conducting impact
assessment. It is important to note that
these rules apply to both controllers
and processors -- meaning 'clouds' will
not be exempt from GDPR
enforcement.