Tick Tock: the Final Deadline to Comply With NY’s AppSec Requirement

When the history of Summer of 2018 is written, the chapter on Data Protection and Privacy will be dominated by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CaCPA – aka California GDPR). Both represent a seismic shift in how the business community manages and protects consumer information and both — if you read the fine print — focus on cybersecurity.

Less attention has been paid to the September 4, 2018 compliance deadline for New York State Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). Where GDPR and CPPA reference a duty to maintain security practices and procedures equal to the risk of harm to consumers, the New York regulation explicitly requires a distinct, robust application security program:

Section 500.08 Application Security

(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

(b) All such procedures, guidelines, and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

There’s a lot of punch packed into those 83 words. Terms like “shall” make AppSec mandatory while “in-house developed” and “externally developed” ensure all applications used in a regulated company meet defined standards. And, “periodically reviewed” means the actions cannot be a “one and done” practice.

Network protections have historically received the lion’s share of cybersecurity funding and staffing, yet known code vulnerabilities in applications are the primary target for successful attacks. Pick just about any of the high-profile data breaches over the past decade and chances are a known flaw in an app was at the core of the attack — often a known, but unpatched software bug.

That’s one of the reasons why the NY DFS includes a specific application security section. It’s also one of the reasons why the American Banker, a leading financial services trade publication, recently asked the question “Should N.Y.’s strict cybersecurity rule be a model for the country?” That’s an open-ended question, but compared to the broad provisions of the GDPR and CPPA, the NY Regulation makes clear that efforts to improve cybersecurity are not an option.

There are other provisions of the Regulation that become enforceable on September 4th, including requirements for Audit Trails, Limits on Data Retention, Training and Monitoring, and Encryption of Non-Public Data. Compliance with the Regulation’s final provision — security practices and procedures for Third Party Service Providers — is required by March 1, 2019.