Emory Corporate Governance and Accountability Review

Follow the Leader: Using 23 N.Y.C.R.R. 500 to Craft a Safer Financial World
Anthony Georgiafandis Emory University School of Law, J.D. Candidate, 2019; Staff Writer, Emory Corporate Governance and Accountability Review; President, Emory Corporate and Business Law Society; B.S. Finance and International Business, University of Tennessee at Knoxville. I would like to thank my parents, George and Christine, and sister, Eleni, for their constant encouragement and guidance. I would also like to thank the ECGAR executive board and the ECGAR editing team for helping me throughout the writing process to refine my work.

Introduction

The ongoing struggle with cybersecurity will be difficult to overcome without proper support and regulations. Attackers’ approaches are growing in sophistication, demanding quick responses from critical industries worldwide. 1 Greg Baer and Rob Hunter, A Tower of Babel: Cyber Regulation for Financial Services, Banking Perspective from The Clearing House, https://www.theclearinghouse.org/research/banking-perspectives/2017/2017-q2-banking-perspectives/cyber-regulation-for-financial-services. By 2021, experts estimate that cybercrime damages will cost the world up to $6 trillion annually. 2 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About, CSO from IDG (Dec. 5, 2017), https://www.csoonline.com/article/3239681/security/changing-cybersecurity-regulations-that-global-financial-services-firms-need-to-know-about.html. As former Treasury Secretary Jack Lew notes, “[s]uccessful attacks on our financial system would compromise confidence, jeopardize the integrity of data, and pose a threat to financial stability.” 3 Kat Greene, Treasury Chief Wants More Cybersecurity At Financial Firms, Law360 (July 15, 2014), https://advance.lexis.com/api/permalink/b32852b0-53c0-4907-95bb-60a7699da608/?context=1000516. Accordingly, financial institutions must test and adapt their cybersecurity systems to address the ever-evolving threat posed by cybercriminals.

No one is safe from cyberattacks. Consequently, regulations are being implemented all over the world to ensure proper security measures are enacted to protect valuable data. 4 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). In 2017, The New York State Department of Financial Services drafted and implemented a rule requiring banks and insurance companies to meet “regulatory minimum standards” (“23 N.Y.C.R.R 500”). 5 N.Y. Comp. Codes R. & Regs. Tit. 23, § 500. In doing so, New York set a powerful precedent for regulators to follow when promulgating cybersecurity regulations. 6 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017), https://advance.lexis.com/api/permalink/433e2ebf-d2c7-4a33-976e-2f12917c28ac/?context=1000516. It is critical that regulators across the globe promulgate, implement, and enforce cybersecurity regulations similar to that of the New York State Department of Financial Services’ so consumers’ data can be safe irrespective of where they do business. Globalization has enabled hackers to target individuals anywhere in the world. Accordingly, every country and/or region on Earth must have strict guidelines in place to protect individuals’ private financial data. New York’s strict guidelines set a strong standard for other states and nation states to follow when adopting their own guidelines, to help ensure global protections are enforced to the greatest extent possible.

To highlight the importance of increasing cybersecurity regulations within the financial services industry, this article first assesses how past cybersecurity breaches affected the financial industry domestically and abroad. Next, this article explores the expanding world of cybersecurity, before reexamining how 23 N.Y.C.R.R 500 has implications reaching far beyond New York City. Foreign regulations will be discussed, as a threat to cyber security anywhere can easily become a threat to cybersecurity everywhere. This article closes by underscoring the importance of expanding cybersecurity regulations globally.

I. Cybersecurity Breaches Affecting the Financial Industry

“Cyber threats have grown rapidly in frequency and sophistication, and financial institutions are confronted daily with fresh reminders of the nation’s vulnerability to cyberattack, whether from criminals, terrorists, or hostile nation-states.” 7 Greg Baer and Rob Hunter, A Tower of Babel: Cyber Regulation for Financial Services, Banking Perspective from The Clearing House. The cases that follow include some of the largest cybersecurity breaches to ever affect the financial services industry. If management was required to abide by more sophisticated regulations, these breaches could have either been avoided altogether, or at least stopped before damages reached crisis levels.

A. Heartland Payment Systems, Inc. – March 2008

The sixth-largest payment processor in the United States, Heartland Payment Systems (“Heartland”), experienced a breach in March of 2008. 8 Linda McGlasson, Heartland Payment Systems, Forcht Bank Discover Data Breaches, Information Security Media Group, Corp. (Jan. 21, 2009), https://www.bankinfosecurity.com/heartland-payment-systems-forcht-bank-discover-data-breaches-a-1168. This particular attack was part of a bigger cyber fraud operation. 9Id. An estimated 134 million credit card numbers were exposed pursuant to the Heartland cyber-attack. 10 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century, CSO from IDG (Jan. 26, 2018), https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html. The hackers used “sniffer malware” as they went over Heartland’s processing platform, exposing card holder names and numbers. 11 Linda McGlasson, Heartland Payment Systems, Forcht Bank Discover Data Breaches (Jan. 21, 2009). Two unnamed Russians, along with a Cuban-American, were indicted by a federal grand jury for the international operation that stole these credit cards and debit cards. 12 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

Visa and MasterCard notified Heartland of suspicious transactions from accounts it processed, which aided in exposing the attack. 13Id. Heartland paid out around $145 million in compensation for fraudulent payments and was deemed out of compliance with the Payment Card Industry Data Security Standard; rendering Heartland unable to process payments of major credit card providers for about a year. 14Id.

B. JP Morgan Chase – July 2014

In July 2014, JP Morgan Chase, “[t]he largest bank in the nation,” 15Id. fell victim to the largest cyber breach of a financial institution in the history of the United States to that point. 16 Portia Crowe, JPMorgan Fell Victim to the Largest Theft of Customer Data from a Financial Institution in US History, Business Insider (Nov. 10, 2015), http://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11. The breach involved data of more than half of all households in the United States, as well as 7 million small businesses. 17 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018). In their filing with the Securities and Exchange Commission, JP Morgan Chase indicated the exposed data was mainly contact information and internal information about users. 18Id. Although no customer financial information was taken, the depth of this attack shows that Wall Street was, and certainly remains vulnerable to cybercrime. 19 Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, N.Y. Times (Oct. 2, 2014), https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/.

The JP Morgan Chase breach came at a time when consumer confidence in American corporations’ digital operations market was declining. 20Id. The decline of American trust in cybersecurity was owed in no small part to massive data breaches at Target 21 The Target breach affected 40 million cardholders, and 70 million others had their information compromised. Id. , Home Depot 22 The Home Depot hack affected roughly 56 million cards. Id. , and other major retailers. 23Id. As the severity of the JP Morgan Chase breach became clear, bank executives scrambled to assure customers their money and financial information had not been compromised. 24Id. JP Morgan Chase announced a plan to spend $250 million per year to improve its security measures. 25 Steven Howden, What was the cost of the JP Morgan Chase data breach?, Morgan McKinley Co. (Dec. 2, 2015), https://www.morganmckinley.co.jp/en/article/what-was-cost-jp-morgan-chase-data-breach.

C. Equifax – July 29, 2017

Equifax is one of three major credit reporting agencies in the United States, and is headquartered in Atlanta, Georgia. 26 Karen Hao, The complete guide to the Equifax breach, Quartz (Sept. 16, 2017), https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/. On September 17, 2017, Equifax revealed a data breach affecting roughly 143 million 27 Verge Staff, 143 million compromised Social Security numbers: everything you need to know about the Equifax hack, The Verge (Sept. 7, 2017), https://www.theverge.com/2017/9/22/16345580/equifax-data-breach-credit-identity-theft-updates. Americans. 28Breach at Equifax May Impact 143M Americans, Krebs on Security (Sept. 7, 2017), https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/. The International Data Group ranked 29 The rankings here are “based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers, and users or account holders.” Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018). the Equifax cybersecurity breach as the fourth largest breach of the 21st century. 30Id. Information jeopardized in the Equifax breach included Social Security numbers, birth dates, driver’s license numbers, and home addresses. 31Breach at Equifax May Impact 143M Americans (Sept. 7, 2017). The Equifax cybersecurity breach had international consequences, as the breach allowed for unauthorized access to “limited personal information” for certain residents in Canada and the United Kingdom. 32Id. This cybersecurity breach exposed the credit card data of 209,000 consumers. 33 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

The Equifax cybersecurity hack began in May 2017 and lasted fewer than 3 months, but the damage was devastating. 34 Equifax first detected the hack on July 29. Nicole Perlroth and Cade Metz, Equifax Breach: Two Executives Step Down as Investigation Continues, N.Y. Times (Sept. 14, 2017), https://www.nytimes.com/2017/09/14/business/equifax-hack-what-we-know.html. Hackers attacked a public website application where consumers could dispute the accuracy of credit information collected by Equifax. 35Id. When Equifax noticed suspicious internet traffic to the abovementioned application, they immediately took the application offline, fixed the issues, and put it back online; however, the damage was already done. 36Id. The company immediately implemented changes; starting with the prompt retirement of their Chief Security Officer and Chief Information Officer. 37Id.

II. Financial Industry Cyber Trends

Internet-based financial systems have grown consistently over the years. Much of the economy is moving towards computer networks, largely due to the convenience, efficiency, and overall speed computers can provide. However, there are consequences to these conveniences that must be addressed. 38 Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, N.Y. Times (Oct. 2, 2014). Cryptocurrencies and mobile wallets are two of the biggest steps taken in this direction within the recent decade.

A. Cryptocurrencies

Cryptocurrencies have been referred to by many as the future of money and global finance. 39 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html. The first cryptocurrency, known as Bitcoin, was created in 2009. 40Id. Bitcoin’s perceived utility led to the introduction of hundreds of other cryptocurrencies, often called altcoins. 41Id. New altcoins are being introduced each day, further expanding the reach of the financial industry into the cyber world. 42Id. This new technology allows people and institutions to move funds instantly without a middleman. 43 Susan Athey, 5 Ways Digital Currencies Will Change the World, World Economic Forum (Jan. 22, 2015), https://www.weforum.org/agenda/2015/01/5-ways-digital-currencies-will-change-the-world/. Cryptocurrencies are decentralized 44 A group of countries have discussed the possibility of issuing their own cryptocurrencies, which would lead to some cryptocurrencies no longer being decentralized. David Tweed, Why Governments Might Join the Cryptocurrency Craze, Bloomberg QuickTake (March 19, 2018), https://www.bloomberg.com/news/articles/2018-02-12/why-governments-might-join-the-cryptocurrency-craze-quicktake. For example, Venezuela’s president is proposing the idea of “the Petro.” Id. This will be a virtual currency backed by one barrel of oil per piece of currency. Id. Russia also plans to talk with countries including Brazil, China, India, and the five former Soviet republics about a possible supra-cryptocurrency that would cover countries with 40% of the world’s population. Id. and almost all operate without input from central banks. 45 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html. The popularity of this digital currency is extremely large, with a market capitalization estimate of around $13 billion. 46Id. The delay caused by regulators and governments attempting to create a legal structure and business norms governing cryptocurrencies has created a window of opportunity for fraud that cybercriminals are able to exploit. 47Id.

Hackers took about $350 million worth of bitcoins in 2014 from Tokyo’s Mt. Gox exchange. 48Id. More recently, hackers moved about $60 million of the altcoin Ether from the Decentralized Autonomous Organization to accounts held by an unknown individual or group. 49 Ian Demartino, Ethereum’s DAO Gets Hacked for $60M, Hardfork to Come?, Coin Journal (June 17, 2016), https://coinjournal.net/dao-gets-hacked-hardfork-come/. Although most of these funds were later recovered, this serves as yet another reminder that cybercriminals have the ability and are choosing to target all types of these cryptocurrencies. 50 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html.

B. Mobile Wallets

In-store mobile payment usage rates are expected to grow 80 percent per year between 2016 and 2020. 51 BI Intelligence, The Mobile Payments Report: Market Forecasts, Consumer Trends, and the Barriers and Benefits that will Influence Adoption, Business Insider (June 3, 2016), http://www.businessinsider.com/the-mobile-payments-report-market-forecasts-consumer-trends-and-the-barriers-and-benefits-that-will-influence-adoption-2016-5. The process that goes into using a phone to pay for something includes: cashier ringing up the order, customer authenticating the transaction via passcode or fingerprint scan, customer tapping phone to the Near-Field Communication-supporting pin pad, and smartphone chip exchanging data with the pin pad thus completing the purchase. 52How Secure are Mobile Payments?, Data Cap Systems, Inc. (2017), https://www.datacapsystems.com/blog/2017/2/1/how-secure-are-mobile-payments. Three of the greatest threats to the security of these mobile payments include: use on public Wi-Fi, stolen devices, and phishing. 53Id. Therefore, customers must be cognizant of how they use their devices because this is where the majority of the cybersecurity risk in mobile wallets lays. 54Id.

Certain current threats have and will continue to persist with regards to mobile wallets, but there are other approaches certain to gain popularity as well. 55 John Rampton, Your Security Concerns About Using Mobile Payments Are Valid, Entrepreneur (Oct. 4, 2016), https://www.entrepreneur.com/article/282722. Extortion hacks, 56Id. (“where attackers threaten to release sensitive company or customer data if the victim doesn’t pay up or meet some other demand.”). also known as ransomware, were predicted to and have become more common within the usage of this type of spending. 57Id. Other threats to look out for in the future include hackers: changing or manipulating data, figuring out chip and pin frauds, a rise in IoT botnets, and attacking via other backdoors. 58Id. It is essential that the infrastructure behind mobile payments becomes more robust, but in the meantime, many systems are being secured thanks to their use of tokenization. 59How Secure are Mobile Payments?, Data Cap Systems, Inc. (2017) (Apple Pay, Android Pay, and Samsung Pay are among some of the mobile wallets that utilize tokenization.).

III. United States Financial Services Industry Cybersecurity Regulations

Cyberattacks targeting organizations with sophisticated and timely attacks are quickly becoming a global epidemic. 60 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). Cybercriminals are increasingly targeting critical infrastructure and healthcare organizations, using ransomware attacks or outright stealing consumers’ personally identifiable information. 61 Personal Identifiable Information here includes personal financial records. Id. This information can be later sold on the dark web for profit and used in various ways after that. 62Id. Regulations have increasingly been put into place throughout the world in order to help prevent these attacks from continuing.

According to the 2017 United Nations Global Cybersecurity Index, the United States has the second-strongest cybersecurity in the world. 63 George R. Lynch, U.S. Has Second Strongest Cybersecurity in the World: UN Reports, Bloomberg News (Jul. 14, 2017), https://www.bna.com/us-second-strongest-b73014461766/. The federal government has not taken much action within the 21st century to regulate cybersecurity for the financial services industry; however, individual states have been taking initiative and taking the next steps to help protect consumer’s private financial data. 64 Tom Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017), https://learningnetwork.cisco.com/blogs/talking-tech-with-cisco/2017/05/18/the-state-of-cybersecurity-laws-in-the-financial-services-industry. In 2017, at least 28 states considered or enacted cybersecurity legislation, and some specifically targeted the financial services industry. 65Cybersecurity Legislation 2017, National Conference of State Legislatures (Dec. 29, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx. Colorado organized a state cybersecurity council to provide policy guidance to the governor in hopes of furthering regulations. 66 Tom Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017), https://learningnetwork.cisco.com/blogs/talking-tech-with-cisco/2017/05/18/the-state-of-cybersecurity-laws-in-the-financial-services-industry. One of many bills signed in California has made it a criminal offense for a person to knowingly introduce ransomware into any computer, computer system, or network. 67Id. Utah has imposed civil penalties for hackers. 68Id. The New York State Department of Financial Services’ “first-in-nation” cybersecurity regulation has taken the lead of protecting the financial services industry. 69Id.

A. The New York State Department of Financial Services and 23 N.Y.C.R.R 500

The New York State Department of Financial Services was created on October 3, 2011 by combining the functions of the New York State Banking Department and the New York State Insurance Department. 70The Department of Financial Services, DFS: About Us (2017), http://www.dfs.ny.gov/about/dfs_about.htm. The Department of Financial Services’ mission is to develop New York’s financial services regulations to keep pace with the financial services industry’s rapid and dynamic evolution. 71The Department of Financial Services, Mission (2017), http://www.dfs.ny.gov/about/mission.htm. The Department also guards against financial risk and protects market participants from fraud. 72Id.

The financial services industry is a popular target for cybercriminals, who can cause significant losses for the Department of Financial Services regulated entities and for consumers’ private information that may be revealed, stolen for illicit purposes, or both. 73Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Fin. Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/ca146713-837f-4d64-b8a1-5b916e2ca34f/?context=1000516. The Department of Financial Services closely monitors the growing threats posed to information and financial systems by nation-states, terrorist organizations, and independent criminals, particularly those that have recently sought to exploit technological vulnerabilities that provide access to electronic data. 74Id. The Department of Finances’ goal is to prevent cybersecurity attacks. Accordingly, it plans to include cybersecurity in every Department of Financial Services examination to ensure all entities have proper cybersecurity practices in place. 75New York State Department of Financial Services Superintendent Vullo Issues Cybersecurity Filing Deadline Reminder, Mondo Visione (Jan. 22, 2018), https://advance.lexis.com/api/permalink/53ecb7f9-c50b-451d-99dd-4f75e2a1132d/?context=1000516.

In late 2014, the New York Department of Financial Services issued a letter to banking institutions chartered or licensed in the state of New York, informing them of an expansion of the Department of Financial Services’ information technology examination procedures to focus on cyber security issues. 76New York Department of Financial Services Cyber Security Examination, Mondaq Business Briefing (Dec. 12, 2014), https://advance.lexis.com/api/permalink/48ab074c-89ff-4318-9fa5-bedcab2de65d/?context=1000516. That notice serves as the most recent example of an increasing focus among state and federal regulatory agencies and government officials on the importance of cyber security to the financial services industry. 77Id. Many institutions are not compliant with these regulations, and therefore should prepare to comply with these stringent regulations before they are punished. 78New York Takes Tough Stance on Financial Cyber Security, Business Insurance Magazine (Jan. 12, 2017), https://advance.lexis.com/api/permalink/2291ce4d-4da4-4510-bfa1-3422d56c85b0/?context=1000516 (“For example, this regulation requires report of a breach within 72 hours of the breach, and in order for this to happen a company needs to have in place a formalized instant response plan . . . The regulation contains some very specific demands that go beyond other regulations, including those related to nonpublic information, where the terms are defined very broadly.” – Business Insurance Magazine attorney Bess Hinson.). 23 N.Y.C.R.R 500 provides a series of deadlines to covered entities so they know when they must be in compliance with each guideline, thereby helping ease entities into compliance with the new, stringent regulation. 79Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/c6d0ffe5-e146-4c29-bc6e-c58851da1efe/?context=1000516. Covered entities are required to comply with the requirements of the Department of Financial Services’ regulations in their entirety by March 1, 2019. 80Id.

As previously stated, 23 N.Y.C.R.R 500 came into effect on August 28, 2017. 81New York State Department of Financial Services Cybersecurity Regulation Compliance Requirements Are Effective Today, Right Vision Media (Aug. 29, 2017), https://advance.lexis.com/api/permalink/e7e9a476-b8cc-4965-9340-7a46044bc7cf/?context=1000516. 23 N.Y.C.R.R 500 requires banks, insurance companies, and other institutions regulated by the Department of Financial Services to implement cybersecurity programs that protect their consumers’ data. 82 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017). Entities covered by the New York Department of Financial Services are required to have “(i) a written cybersecurity policy or policies approved by the entity’s board of directors or a senior officer, (ii) a ‘Chief Information Security Officer’ in place to protect data and systems, and (iii) other relevant ‘controls and plans’ intended to fortify the safety of the financial services industry.” 83Id. An annual Certification of Compliance must be submitted by each firm, that shows the firm’s cybersecurity compliance program. 84Id. The first of these certificates was due by February 15, 2018. 85Id.

In accordance with the covered entity’s Cybersecurity Risk Assessment, entities must perform continuous monitoring, annual penetration tests, and bi-annual vulnerability assessments to gather information regarding the effectiveness of the particular Cybersecurity Program. 86Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/1630c569-9e19-4906-a6aa-83419d532fb8/?context=1000516. Periodic risk assessments should be conducted for continuous awareness of changes to the given Information Systems, business operations, and nonpublic information. 87Id. Regular Cybersecurity Awareness and Training that is updated accordingly to deal with risks identified by the risk assessment needs to be implemented for all personnel. 88Id.

Each corporation’s newly appointed Chief Information Security Officer is required to report to the Board of Directors of their covered entity at least once a year. 89 Christopher Bosch and Jeff Kern, New York State Department of Financial Services Proposes Cybersecurity Regulations for Financial Services Companies, Corporate and Securities Law Blog (Sept. 22, 2016), https://www.corporatesecuritieslawblog.com/2016/09/new-york-state-department-of-financial-services-proposes-cybersecurity-regulations-for-financial-services-companies/. In this report, the Chief Information Security Officer must include information regarding the status and effectiveness of the Cybersecurity Program as well as any material risks to cybersecurity that the covered entity may encounter. 90Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/1630c569-9e19-4906-a6aa-83419d532fb8/?context=1000516.

One of the major changes to the already strict regulations is that multi-factor authentication is required. 91Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018). Every covered entity is required to use some type of Cybersecurity Controls, which may be either Multi-Factor Authentication or Risk-Based Authentication. 92Id. These requirements extend to all individuals accessing the covered entity’s internal network from an external network, to protect against unauthorized access to private information and information systems. 93Id.

The Department of Financial Services requires covered entities to report notices of certain cybersecurity events to the Department of Financial Services within 72 hours of a breach. 94 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017). A cybersecurity event needs to be reported if it either: (1) impacts the covered entity and notice is required to be given to a government body, self-regulatory agency, or any other supervisory authority; or (2) has reasonable likelihood of materially harming a material part of the covered entity’s normal operations. 95New York State Department of Financial Services Continues Innovative Regulatory Initiatives With the Launch of New Online Cybersecurity Portal for Businesses Seeking to Report Cybersecurity Events in New York – New DFS Portal Assists Businesses Complying With New York’s First-In-The-Nation Cybersecurity Regulation – Covered Entities Can Also Virtually File Certificate of Compliance Due By February 15, 2018, Impact Financial News (Aug. 1, 2017), https://advance.lexis.com/api/permalink/657640c7-6ae8-4c17-8bb6-0c4ebbb2c89e/?context=1000516. Cybersecurity events must be reported through the Department of Financial Services’ online cybersecurity portal. 96New York State Department of Financial Services Cybersecurity Regulation Compliance Requirements Are Effective Today, Right Vision Media (Aug. 29, 2017) (Other filings are also able to be filed through this secure portal. “This portal has been operational to receive notices of exemption, and will allow, by permission, employers to file notices of exemption on behalf of employees or captive agents who are also covered entities where large bulk filings can be facilitated.”) Providing a cyber portal is just one of many steps the Department of Financial Services is taking to protect both consumers and the financial services industry, all while supporting and keeping up with industry innovation. 97New York State Department of Financial Services Continues Innovative Regulatory Initiatives With the Launch of New Online Cybersecurity Portal for Businesses Seeking to Report Cybersecurity Events in New York, Impact Financial News (Aug. 1, 2017) (“These initiatives include the Department’s transition to the Nationwide Multistate Licensing System and Registry, a secure, web-based, nationwide licensing system that allows companies to apply for, update, and renew their licenses in one or more states conveniently and safely online, and a new online application process to spend the re-licensing of agents and brokers whose original licenses have been expired for more than two years.”).

IV. International Reaction to Financial Services Cyberattacks

The world is increasingly becoming economically interconnected. 98 Christine Lagarde, Managing Director, Int’l Monetary Fund, U.S. Chamber of Commerce (Sept. 19, 2013). The internet and other information technologies are a major catalyst for companies of all sizes to expand into foreign markets. 99 Neil Kokemuller, Why Do Businesses Operate Internationally?, Chron, http://smallbusiness.chron.com/businesses-operate-internationally-78226.html. With increased globalization comes increased opportunities, but also increased challenges. 100 Christine Lagarde, Managing Director, Int’l Monetary Fund, U.S. Chamber of Commerce (Sept. 19, 2013). Strict regulations will protect American consumers’ data internationally as well.

Following multiple cross-border bank thefts, the “Group of Seven” industrial powers (Canada, France, Germany, Italy, Japan, United Kingdom, and United States) agreed on certain guidelines that will help protect the global financial sector from cyberattacks. 101 Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017) (This agreement took place at a meeting in October of 2016.). As more states and nation states create cybersecurity requirements, financial institutions will admittedly face increased compliance costs, which could in turn divert resources away from other sorts of risk mitigation. 102 Daniel Ilan and Katherine Mooney Carroll, NYDFS Cybersecurity Regulations Take Effect, Harvard Law School Forum on Corp. Gov. and Fin. Reg. (Sept. 2, 2017), https://corpgov.law.harvard.edu/2017/09/02/nydfs-cybersecurity-regulations-take-effect/. Some of the recent foreign regulations are detailed over the coming pages.

A. China

On June 1, 2017, China introduced the country’s first comprehensive cybersecurity law (the “People’s Republic of China Cybersecurity Law”). 103 Jeff Dodd, Ross Campbell, Jerry Jie Li, and Dora Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017), https://advance.lexis.com/api/permalink/5f47a4df-c67b-4059-8678-e2a4b148be5a/?context=1000516. The People’s Republic of China Cybersecurity Law was written to safeguard Chinese “cyberspace sovereignty.” 104Id. The People’s Republic of China Cybersecurity Law was designed to better align China’s laws with both industry and global cybersecurity standards. 105 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). The People’s Republic of China Cybersecurity Law will likely reach many multinational corporations in different ways, as many large corporations conduct business with China and thus will be required to comply with certain regulations within the law. The People’s Republic of China Cybersecurity Law requires owners, managers, and service providers of computer networks to adopt data security measures. 106 Dodd, Campbell, Li, and Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017) (Measures include things such as computer virus prevention and security incident recording.). A company operating a network relating to services needed for finance, among other things, must adhere to additional requirements, “such as setting up specialized security management bodies and conducting disaster recovery backups.” 107Id. Relevant national security maintenance requirements must be satisfied by companies providing network products and services in China. 108Id. Financial services firms specifically will be required to show that their IT infrastructure meets specifications and is able to pass cybersecurity tests and certifications. 109 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). Under the People’s Republic of China Cybersecurity Law, data collected within the country regarding its citizens is required to be stored on servers within the country’s borders only subject to be moved abroad if the permission to do so is granted. 110Id. Companies that fail to comply with the People’s Republic of China Cybersecurity Law will be subject to fines in excess of 1 million yuan ($150,000 USD). 111 Dodd, Campbell, Li, and Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017).

B. Singapore

Singapore currently has an established Personal Data Protection Act of 2012, that comprises various rules governing the collection, use, disclosure, and care of personal data. 112Personal Data Protection Commission Singapore, Legislation and Guidelines: Overview (2017), https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview. On February 5, 2018, the Singapore Parliament introduced the Singapore Cybersecurity Bill, that “aims to establish a regime to prevent, manage, and respond to cybersecurity threats and incidents, and to regulate critical information infrastructure owners and cybersecurity providers, which could necessitate additional cybersecurity measures and testing.” 113 Morgan Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018), https://advance.lexis.com/api/permalink/3381c5a1-ac8c-4b70-865e-c26231232642/?context=1000516. The Singapore Cybersecurity Bill gives the Commissioner of Cybersecurity the power to designate a computer or computer system as Critical Information Infrastructure (“CII” 114 CII: “Critical Information Infrastructure Computer systems directly involved in the provision of essential services.” Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018).) for a period of five years if he or she is satisfied that the computer system is: (1) necessary for continued delivery of an essential service 115 Essential Service: “any service essential to the national security, defense, foreign relations, economy, public health, public safety, or public order of Singapore and which is expressly in the First Schedule of the Cybersecurity Bill.” Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018).; and (2) located wholly or partly in Singapore. 116Id. Both breaches and modification of system design or security are required to be reported to the Commissioner of Cybersecurity. 117 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). Failure to comply with the Singapore Cybersecurity Bill can result in fines of up to $100,000 or punishments of up to 10 years imprisonment. 118Id.

C. European Union

After 23 years, the European Union is replacing their prior Data Protection Directive with the General Data Protection Regulation, which “was designed to harmonize data privacy law across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” 119EU GDPR Portal, Home Page of EU GDPR (2018), https://www.eugdpr.org. On May 25, 2018, 120What is General Data Protection Regulation?, Forbes (Feb. 14, 2018), https://advance.lexis.com/api/permalink/4151d2c6-8a04-46e0-94ca-9bc2d301e3ac/?context=1000516. the General Data Protection Regulation creates a uniform minimum standard for every European Union country, and implements strict rules on the control and processing of personally identifiable information. 121Id. All European Economic Area member states will have some sort of data protection law to set out their own specific enforcement mechanisms and to use their discretion on certain General Data Protection Regulation elements 122 “Certain issues under the Regulation, such as the age of consent and the use of criminal records in employment, will still be determined at a national level.” Elias Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017), https://advance.lexis.com/api/permalink/604c361f-bb05-4475-a848-7ce266ec4c95/?context=1000516. where they are permitted to do so. 123 Anthony Woolich and Felicity Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017), https://advance.lexis.com/api/permalink/f457d946-b77c-47b6-bde6-220c2cf1eda9/?context=1000516 (“Germany, for example, approved a new Data Protection Act in May 2017.”). Consumers are being given enhanced control over their personal data, as well as privacy protection rights. 124What is General Data Protection Regulation?, Forbes (Feb. 14, 2018). Organizations wishing to process consumer data must now be given consent by affected consumers, keeping in mind that they may withdraw their consent at any time. 125 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

Some essential items added with this new regulation include: (1) increased fines; (2) breach notifications; the aforementioned (3) opt-in consent; and (4) responsibility for the transfer of data outside of the European Union. 126What is General Data Protection Regulation?, Forbes (Feb. 14, 2018). The new regulations extend the definition of “personal data” to bring more data within the scope of regulation, reflecting an increase in internet use. 127 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017). Data Protection Officers will be appointed for organizations that process personal data on a large scale. 128 Ius Laboris, The EU General Data Protection Regulation, YouTube (Jun. 9, 2017), https://www.youtube.com/embed/mOeMYZeL9hY. Data Protection Officers will ensure compliance with the supervised organization’s accountability program, and will also run data protection impact assessments. 129 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017). Data protection impact assessments require data processors to complete a risk assessment before carrying out higher-risk data processing activities, such as processing sensitive data and systematically monitoring publicly accessible areas. 130Id. Obtaining consent to process personal data is now more difficult to prove and achieve. 131Id. Parental consent will now be required for children to receive any information society services. 132Id. The General Data Protection Regulation creates what they refer to as a “one-stop shop,” letting data controllers report to a single supervisory authority instead of dealing with different countries’ authority groups. 133 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017) (“This will reduce the administrative burden on data controllers and ensure regulatory consistency for internet service providers with offices in more than one EU member state.”). Subject to certain conditions, consumers will have the right to require data controllers to erase personal data about them as quickly as possible. 134Id. (This is referred to as the “right to be forgotten.”). This would create a large burden on data controllers who have made personal data public, because they will be forced to “inform other controllers who are processing such personal data to erase any links to, or copies or replications of the data.” 135Id. Data controllers are required to implement technical and organizational measures and procedures to ensure processing protects the rights of the data subjects. 136Id.

In cases of a breach, the controller shall immediately notify individuals whose information is subject of the breach as well as the proper supervisory authority within 72 hours of becoming aware of said breach. 137 Paul Kavanagh, Jennifer McGrandle, and Madeleine White, GDPR and Personal Data Breaches: What, When, Who, and How?, Lexology (Nov. 1, 2017), https://www.lexology.com/library/detail.aspx?g=03e8a988-7c9e-4576-94ea-5ab13f2cb240. A delay in notification requires an accompanied explanation when the notification is eventually given to the proper supervisory authority. 138 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

The General Data Protection Regulation will have an intercontinental impact. 139EU Compliance: General Data Protection Regulation (GDPR), Gemalto, https://safenet.gemalto.com/data-protection/data-compliance/european-union-eu-compliance/ (“With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.”) The General Data Protection Regulation applies to organizations outside of the European Economic Area if the organization: (1) has a presence within the European Economic Area; (2) offers products or services to individuals in the European Economic Area; or (3) monitors the behavior of individuals within the European Economic Area. 140 Woolich and Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017). Because of the large amount of personal information stored and processed by financial institutions, the General Data Protection Regulation’s regulating bodies will be keeping a close watch on compliance efforts. 141 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). If an organization is breached, said organization must notify the local data protection authority, and potentially the consumers whose personal data was affected. 142EU Compliance: General Data Protection Regulation (GDPR), Gemalto, https://safenet.gemalto.com/data-protection/data-compliance/european-union-eu-compliance/. Non-compliance with the General Data Protection Regulation may result in fines up to €20 million, or 4% of total annual worldwide turnover, whichever amount is greater143 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

D. United Kingdom

Although the United Kingdom has decided to leave the European Union, it will not cease its participation in the General Data Protection Regulation. 144 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017). The UK is implementing a Data Protection Bill, which will be the newest version since the 1998 Data Protection Act. 145Id. The UK Data Protection Bill is intended to go beyond the General Data Protection Regulation, thus creating “the gold standard on data protection.” 146 Woolich and Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017) (“For example, the UK Bill will introduce criminal offences for intentionally or recklessly re-identifying individuals from anonymized or pseudonyms data, and for altering records with the intent to prevent disclosure following a subject access request.”). The regulations within the United Kingdom’s Data Protection Bill are similar to those of the General Data Protection Regulation, containing only minor changes with regards to journalists and scientific researchers. 147 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

V. Critical Nature of Other Regulators Following Suit

It is imperative that progress is made to protect consumers and the financial system from the starkly increasing threat of cyberattacks. 148Oregon: New York State Department of Financial Services Issues Cybersecurity Regulations, US Official News (Feb. 27, 2017), https://advance.lexis.com/api/permalink/98f45bbf-eb5f-4bfe-bd6b-99089899150e/?context=1000516. New York has shown that it is willing to be fast and prescriptive when it comes to cybersecurity regulations overseeing the security of financial institutions, as opposed to the delayed path taken by the federal government. 149 Kate Fazzini, NY’s Equifax-Inspired Rules Could Sweep Up Many Companies, WSJ Pro Cybersecurity (Sept. 22, 2017), https://advance.lexis.com/api/permalink/b185c3f1-e19b-4bd3-82d7-a5f30547dd56/?context=1000516. With the implementation of 23 N.Y.C.R.R 500, New York is leading the nation with a strong cybersecurity regulation that protects consumer’s personal data and information systems. 150 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017) (These are part of Mario Vullo’s comments on the NYFDS program.).

For the sake of being proactive in regards to cyber threats, it is critical that all regulated institutions quickly adopt a form of cybersecurity, and that all regulated entities be subject to certain standards with respect to their programs. 151Oregon: New York State Department of Financial Services Issues Cybersecurity Regulations, US Official News (Feb. 27, 2017). Through the continued interconnectedness of global financial networks, each nation’s existing cybersecurity regulations have international implications. 152Id. Given the far-reaching effect that breaches can have over individuals and corporations, it is crucial that all nations work together to combat cybercrime.

Many have argued the importance of a common policy or legal framework that will fully unify the disparate efforts taken to combat cybersecurity breaches. 153 David Forscey, Steve Cash, and Benjamin Nissim, Cybersecurity Is The Next Frontier of State Regulation, Law360 (May 11, 2017), https://www.nga.org/files/live/sites/NGA/files/pdf/2017/1706ForsceyLaw360.pdf. States pondering whether to enforce existing rules more aggressively or to pass cybersecurity standards of their own need to consider the potential issues that existing frameworks could cause. Additionally, they should collaborate with experts to determine the best approach to avoid conflicting or duplicative regulations, support a consistent cross-border policy, and promote the best cybersecurity practices while not compromising an already vibrant business environment. 154Id.

Conclusion

As John F. Kennedy said in 1963, “[c]hange is the law of life. And those who look only to the past or present are certain to miss the future.” 155 Alana Ross and Barry Ross, Change is the Law of Life – JFK, Ross & Ross Int’l (Mar. 14, 2017), https://www.rossross.com/blog/change-is-the-law-of-life-jfk. Up until this point, consumers and entities have always made the choice to look to the future when it comes to protecting consumers’ personal information on a cybersecurity level. The cybersecurity makeup of the financial industry will never stay stagnant, which is why it is so important regulators never find themselves ignoring the future when deciding the best options to safeguard against cyberattacks in financial systems. The interconnectedness of the global financial system serves as a reminder that the measures taken to protect against cyberattacks in one area can easily affect the rest of the world. 23 N.Y.C.R.R 500 is a big step in a positive direction, and it is critical that other regulators on both a domestic and global scale choose to follow their lead to make for a safer financial world.

Footnotes

1 Greg Baer and Rob Hunter, A Tower of Babel: Cyber Regulation for Financial Services, Banking Perspective from The Clearing House, https://www.theclearinghouse.org/research/banking-perspectives/2017/2017-q2-banking-perspectives/cyber-regulation-for-financial-services.

2 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About, CSO from IDG (Dec. 5, 2017), https://www.csoonline.com/article/3239681/security/changing-cybersecurity-regulations-that-global-financial-services-firms-need-to-know-about.html.

3 Kat Greene, Treasury Chief Wants More Cybersecurity At Financial Firms, Law360 (July 15, 2014), https://advance.lexis.com/api/permalink/b32852b0-53c0-4907-95bb-60a7699da608/?context=1000516.

4 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

5 N.Y. Comp. Codes R. & Regs. Tit. 23, § 500.

6 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017), https://advance.lexis.com/api/permalink/433e2ebf-d2c7-4a33-976e-2f12917c28ac/?context=1000516.

7 Greg Baer and Rob Hunter, A Tower of Babel: Cyber Regulation for Financial Services, Banking Perspective from The Clearing House.

8 Linda McGlasson, Heartland Payment Systems, Forcht Bank Discover Data Breaches, Information Security Media Group, Corp. (Jan. 21, 2009), https://www.bankinfosecurity.com/heartland-payment-systems-forcht-bank-discover-data-breaches-a-1168.

9Id.

10 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century, CSO from IDG (Jan. 26, 2018), https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html.

11 Linda McGlasson, Heartland Payment Systems, Forcht Bank Discover Data Breaches (Jan. 21, 2009).

12 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

13Id.

14Id.

15Id.

16 Portia Crowe, JPMorgan Fell Victim to the Largest Theft of Customer Data from a Financial Institution in US History, Business Insider (Nov. 10, 2015), http://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11.

17 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

18Id.

19 Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, N.Y. Times (Oct. 2, 2014), https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/.

20Id.

21 The Target breach affected 40 million cardholders, and 70 million others had their information compromised. Id.

22 The Home Depot hack affected roughly 56 million cards. Id.

23Id.

24Id.

25 Steven Howden, What was the cost of the JP Morgan Chase data breach?, Morgan McKinley Co. (Dec. 2, 2015), https://www.morganmckinley.co.jp/en/article/what-was-cost-jp-morgan-chase-data-breach.

26 Karen Hao, The complete guide to the Equifax breach, Quartz (Sept. 16, 2017), https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/.

27 Verge Staff, 143 million compromised Social Security numbers: everything you need to know about the Equifax hack, The Verge (Sept. 7, 2017), https://www.theverge.com/2017/9/22/16345580/equifax-data-breach-credit-identity-theft-updates.

28Breach at Equifax May Impact 143M Americans, Krebs on Security (Sept. 7, 2017), https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/.

29 The rankings here are “based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers, and users or account holders.” Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

30Id.

31Breach at Equifax May Impact 143M Americans (Sept. 7, 2017).

32Id.

33 Taylor Armerding, The 17 Biggest Data Breaches of the 21st Century (Jan. 26, 2018).

34 Equifax first detected the hack on July 29. Nicole Perlroth and Cade Metz, Equifax Breach: Two Executives Step Down as Investigation Continues, N.Y. Times (Sept. 14, 2017), https://www.nytimes.com/2017/09/14/business/equifax-hack-what-we-know.html.

35Id.

36Id.

37Id.

38 Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, N.Y. Times (Oct. 2, 2014).

39 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html.

40Id.

41Id.

42Id.

43 Susan Athey, 5 Ways Digital Currencies Will Change the World, World Economic Forum (Jan. 22, 2015), https://www.weforum.org/agenda/2015/01/5-ways-digital-currencies-will-change-the-world/.

44 A group of countries have discussed the possibility of issuing their own cryptocurrencies, which would lead to some cryptocurrencies no longer being decentralized. David Tweed, Why Governments Might Join the Cryptocurrency Craze, Bloomberg QuickTake (March 19, 2018), https://www.bloomberg.com/news/articles/2018-02-12/why-governments-might-join-the-cryptocurrency-craze-quicktake. For example, Venezuela’s president is proposing the idea of “the Petro.” Id. This will be a virtual currency backed by one barrel of oil per piece of currency. Id. Russia also plans to talk with countries including Brazil, China, India, and the five former Soviet republics about a possible supra-cryptocurrency that would cover countries with 40% of the world’s population. Id.

45 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html.

46Id.

47Id.

48Id.

49 Ian Demartino, Ethereum’s DAO Gets Hacked for $60M, Hardfork to Come?, Coin Journal (June 17, 2016), https://coinjournal.net/dao-gets-hacked-hardfork-come/.

50 Charles Cooper, The Cybersecurity Side of Cryptocurrency, CSO from IDG (Feb. 23, 2017), https://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html.

51 BI Intelligence, The Mobile Payments Report: Market Forecasts, Consumer Trends, and the Barriers and Benefits that will Influence Adoption, Business Insider (June 3, 2016), http://www.businessinsider.com/the-mobile-payments-report-market-forecasts-consumer-trends-and-the-barriers-and-benefits-that-will-influence-adoption-2016-5.

52How Secure are Mobile Payments?, Data Cap Systems, Inc. (2017), https://www.datacapsystems.com/blog/2017/2/1/how-secure-are-mobile-payments.

53Id.

54Id.

55 John Rampton, Your Security Concerns About Using Mobile Payments Are Valid, Entrepreneur (Oct. 4, 2016), https://www.entrepreneur.com/article/282722.

56Id. (“where attackers threaten to release sensitive company or customer data if the victim doesn’t pay up or meet some other demand.”).

57Id.

58Id.

59How Secure are Mobile Payments?, Data Cap Systems, Inc. (2017) (Apple Pay, Android Pay, and Samsung Pay are among some of the mobile wallets that utilize tokenization.).

60 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

61 Personal Identifiable Information here includes personal financial records. Id.

62Id.

63 George R. Lynch, U.S. Has Second Strongest Cybersecurity in the World: UN Reports, Bloomberg News (Jul. 14, 2017), https://www.bna.com/us-second-strongest-b73014461766/.

64 Tom Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017), https://learningnetwork.cisco.com/blogs/talking-tech-with-cisco/2017/05/18/the-state-of-cybersecurity-laws-in-the-financial-services-industry.

65Cybersecurity Legislation 2017, National Conference of State Legislatures (Dec. 29, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx.

66 Tom Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017), https://learningnetwork.cisco.com/blogs/talking-tech-with-cisco/2017/05/18/the-state-of-cybersecurity-laws-in-the-financial-services-industry.

67Id.

68Id.

69Id.

70The Department of Financial Services, DFS: About Us (2017), http://www.dfs.ny.gov/about/dfs_about.htm.

71The Department of Financial Services, Mission (2017), http://www.dfs.ny.gov/about/mission.htm.

72Id.

73Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Fin. Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/ca146713-837f-4d64-b8a1-5b916e2ca34f/?context=1000516.

74Id.

75New York State Department of Financial Services Superintendent Vullo Issues Cybersecurity Filing Deadline Reminder, Mondo Visione (Jan. 22, 2018), https://advance.lexis.com/api/permalink/53ecb7f9-c50b-451d-99dd-4f75e2a1132d/?context=1000516.

76New York Department of Financial Services Cyber Security Examination, Mondaq Business Briefing (Dec. 12, 2014), https://advance.lexis.com/api/permalink/48ab074c-89ff-4318-9fa5-bedcab2de65d/?context=1000516.

77Id.

78New York Takes Tough Stance on Financial Cyber Security, Business Insurance Magazine (Jan. 12, 2017), https://advance.lexis.com/api/permalink/2291ce4d-4da4-4510-bfa1-3422d56c85b0/?context=1000516 (“For example, this regulation requires report of a breach within 72 hours of the breach, and in order for this to happen a company needs to have in place a formalized instant response plan . . . The regulation contains some very specific demands that go beyond other regulations, including those related to nonpublic information, where the terms are defined very broadly.” – Business Insurance Magazine attorney Bess Hinson.).

79Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/c6d0ffe5-e146-4c29-bc6e-c58851da1efe/?context=1000516.

80Id.

81New York State Department of Financial Services Cybersecurity Regulation Compliance Requirements Are Effective Today, Right Vision Media (Aug. 29, 2017), https://advance.lexis.com/api/permalink/e7e9a476-b8cc-4965-9340-7a46044bc7cf/?context=1000516.

82 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017).

83Id.

84Id.

85Id.

86Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/1630c569-9e19-4906-a6aa-83419d532fb8/?context=1000516.

87Id.

88Id.

89 Christopher Bosch and Jeff Kern, New York State Department of Financial Services Proposes Cybersecurity Regulations for Financial Services Companies, Corporate and Securities Law Blog (Sept. 22, 2016), https://www.corporatesecuritieslawblog.com/2016/09/new-york-state-department-of-financial-services-proposes-cybersecurity-regulations-for-financial-services-companies/.

90Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018), https://advance.lexis.com/api/permalink/1630c569-9e19-4906-a6aa-83419d532fb8/?context=1000516.

91Access Business Technologies – Provides Compliant Software for New York State Department of Financial Services New Strict Cybersecurity Regulations for Mortgage Companies, Financial Services Monitor Worldwide (Jan. 17, 2018).

92Id.

93Id.

94 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017).

95New York State Department of Financial Services Continues Innovative Regulatory Initiatives With the Launch of New Online Cybersecurity Portal for Businesses Seeking to Report Cybersecurity Events in New York – New DFS Portal Assists Businesses Complying With New York’s First-In-The-Nation Cybersecurity Regulation – Covered Entities Can Also Virtually File Certificate of Compliance Due By February 15, 2018, Impact Financial News (Aug. 1, 2017), https://advance.lexis.com/api/permalink/657640c7-6ae8-4c17-8bb6-0c4ebbb2c89e/?context=1000516.

96New York State Department of Financial Services Cybersecurity Regulation Compliance Requirements Are Effective Today, Right Vision Media (Aug. 29, 2017) (Other filings are also able to be filed through this secure portal. “This portal has been operational to receive notices of exemption, and will allow, by permission, employers to file notices of exemption on behalf of employees or captive agents who are also covered entities where large bulk filings can be facilitated.”)

97New York State Department of Financial Services Continues Innovative Regulatory Initiatives With the Launch of New Online Cybersecurity Portal for Businesses Seeking to Report Cybersecurity Events in New York, Impact Financial News (Aug. 1, 2017) (“These initiatives include the Department’s transition to the Nationwide Multistate Licensing System and Registry, a secure, web-based, nationwide licensing system that allows companies to apply for, update, and renew their licenses in one or more states conveniently and safely online, and a new online application process to spend the re-licensing of agents and brokers whose original licenses have been expired for more than two years.”).

98 Christine Lagarde, Managing Director, Int’l Monetary Fund, U.S. Chamber of Commerce (Sept. 19, 2013).

99 Neil Kokemuller, Why Do Businesses Operate Internationally?, Chron, http://smallbusiness.chron.com/businesses-operate-internationally-78226.html.

100 Christine Lagarde, Managing Director, Int’l Monetary Fund, U.S. Chamber of Commerce (Sept. 19, 2013).

101 Gilheany, The State of Cybersecurity Laws in the Financial Services Industry, CISCO (May 18, 2017) (This agreement took place at a meeting in October of 2016.).

102 Daniel Ilan and Katherine Mooney Carroll, NYDFS Cybersecurity Regulations Take Effect, Harvard Law School Forum on Corp. Gov. and Fin. Reg. (Sept. 2, 2017), https://corpgov.law.harvard.edu/2017/09/02/nydfs-cybersecurity-regulations-take-effect/.

103 Jeff Dodd, Ross Campbell, Jerry Jie Li, and Dora Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017), https://advance.lexis.com/api/permalink/5f47a4df-c67b-4059-8678-e2a4b148be5a/?context=1000516.

104Id.

105 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

106 Dodd, Campbell, Li, and Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017) (Measures include things such as computer virus prevention and security incident recording.).

107Id.

108Id.

109 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

110Id.

111 Dodd, Campbell, Li, and Luo, China: People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies, Mondaq Business Briefing (July 28, 2017).

112Personal Data Protection Commission Singapore, Legislation and Guidelines: Overview (2017), https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview.

113 Morgan Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018), https://advance.lexis.com/api/permalink/3381c5a1-ac8c-4b70-865e-c26231232642/?context=1000516.

114 CII: “Critical Information Infrastructure Computer systems directly involved in the provision of essential services.” Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018).

115 Essential Service: “any service essential to the national security, defense, foreign relations, economy, public health, public safety, or public order of Singapore and which is expressly in the First Schedule of the Cybersecurity Bill.” Lewis, Singapore Parliament Introduces Cybersecurity Bill, JD Supra (Feb. 14, 2018).

116Id.

117 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

118Id.

119EU GDPR Portal, Home Page of EU GDPR (2018), https://www.eugdpr.org.

120What is General Data Protection Regulation?, Forbes (Feb. 14, 2018), https://advance.lexis.com/api/permalink/4151d2c6-8a04-46e0-94ca-9bc2d301e3ac/?context=1000516.

121Id.

122 “Certain issues under the Regulation, such as the age of consent and the use of criminal records in employment, will still be determined at a national level.” Elias Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017), https://advance.lexis.com/api/permalink/604c361f-bb05-4475-a848-7ce266ec4c95/?context=1000516.

123 Anthony Woolich and Felicity Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017), https://advance.lexis.com/api/permalink/f457d946-b77c-47b6-bde6-220c2cf1eda9/?context=1000516 (“Germany, for example, approved a new Data Protection Act in May 2017.”).

124What is General Data Protection Regulation?, Forbes (Feb. 14, 2018).

125 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

126What is General Data Protection Regulation?, Forbes (Feb. 14, 2018).

127 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

128 Ius Laboris, The EU General Data Protection Regulation, YouTube (Jun. 9, 2017), https://www.youtube.com/embed/mOeMYZeL9hY.

129 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

130Id.

131Id.

132Id.

133 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017) (“This will reduce the administrative burden on data controllers and ensure regulatory consistency for internet service providers with offices in more than one EU member state.”).

134Id. (This is referred to as the “right to be forgotten.”).

135Id.

136Id.

137 Paul Kavanagh, Jennifer McGrandle, and Madeleine White, GDPR and Personal Data Breaches: What, When, Who, and How?, Lexology (Nov. 1, 2017), https://www.lexology.com/library/detail.aspx?g=03e8a988-7c9e-4576-94ea-5ab13f2cb240.

138 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

139EU Compliance: General Data Protection Regulation (GDPR), Gemalto, https://safenet.gemalto.com/data-protection/data-compliance/european-union-eu-compliance/ (“With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.”)

140 Woolich and Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017).

141 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

142EU Compliance: General Data Protection Regulation (GDPR), Gemalto, https://safenet.gemalto.com/data-protection/data-compliance/european-union-eu-compliance/.

143 Neocleous, Be Prepared for the EU General Data Protection Regulation, Mondaq (Nov. 1, 2017).

144 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

145Id.

146 Woolich and Burling, All Change – Are You Ready for the EU General Data Protection Regulation?, Mondaq (Sept. 13, 2017) (“For example, the UK Bill will introduce criminal offences for intentionally or recklessly re-identifying individuals from anonymized or pseudonyms data, and for altering records with the intent to prevent disclosure following a subject access request.”).

147 Drew Del Matto, Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About (Dec. 5, 2017).

148Oregon: New York State Department of Financial Services Issues Cybersecurity Regulations, US Official News (Feb. 27, 2017), https://advance.lexis.com/api/permalink/98f45bbf-eb5f-4bfe-bd6b-99089899150e/?context=1000516.

149 Kate Fazzini, NY’s Equifax-Inspired Rules Could Sweep Up Many Companies, WSJ Pro Cybersecurity (Sept. 22, 2017), https://advance.lexis.com/api/permalink/b185c3f1-e19b-4bd3-82d7-a5f30547dd56/?context=1000516.

150 Steven Lofchie, NY Department of Financial Services Cybersecurity Regulation Now Effective, Mondaq (Sept. 6, 2017) (These are part of Mario Vullo’s comments on the NYFDS program.).

151Oregon: New York State Department of Financial Services Issues Cybersecurity Regulations, US Official News (Feb. 27, 2017).

152Id.

153 David Forscey, Steve Cash, and Benjamin Nissim, Cybersecurity Is The Next Frontier of State Regulation, Law360 (May 11, 2017), https://www.nga.org/files/live/sites/NGA/files/pdf/2017/1706ForsceyLaw360.pdf.

154Id.

155 Alana Ross and Barry Ross, Change is the Law of Life – JFK, Ross & Ross Int’l (Mar. 14, 2017), https://www.rossross.com/blog/change-is-the-law-of-life-jfk.

Emory University School of Law, J.D. Candidate, 2019; Staff Writer, Emory Corporate Governance and Accountability Review; President, Emory Corporate and Business Law Society; B.S. Finance and International Business, University of Tennessee at Knoxville. I would like to thank my parents, George and Christine, and sister, Eleni, for their constant encouragement and guidance. I would also like to thank the ECGAR executive board and the ECGAR editing team for helping me throughout the writing process to refine my work.