[Cryptography] On New York's new "Cybersecurity Requirements for Financial Services Companies"

Henry Baker hbaker1 at pipeline.com
Wed Mar 1 13:29:19 EST 2017


At 09:38 AM 3/1/2017, Perry E. Metzger wrote:
>New York State's Department of Financial Services recently published its brand new regulation for banks, insurers and other similar companies entitled "Cybersecurity Requirements for Financial Services Companies":
>
>http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf
>
>The regulation will likely apply to a large swath of the world's commercial and investment banks and insurers because they do business in New York.
>
>It got a bunch of notice in the financial press as a result.
>
>The document is short, and I suggest anyone interested in the debate about what sort of involvement government can usefully have in computer security regulation should read it.
>
>Often, people propose that the problem in computer security is that we don't have enough regulation.
>
>If only the government were involved, we would be doing a better job.
>
>I've heard this quite a lot, especially from politicians and other people who are not security professionals.
>
>However, no one can ever quite articulate what it would be that the government would ask companies to do differently.

This sort of dance between corporations & govts is completely routine.

Example:

Acme Corporation makes a product, but it degrades in the rain.  So the Acme lobbyist gets the govt to fund more weather satellites to better predict the rain.

Unfortunately, customers are still unhappy with Acme, because sooner or later it rains & ruins the Acme products.

Not wanting to be sued, Acme gets its lobbyists to get a law passed which declares rain to be "an act of God", and therefore absolves Acme of any liability when its products fail in the rain.

Unfortunately, customers are *still* unhappy, so the Acme lobbyist proposes that the govt set up a govt-funded insurance scheme to reimburse customers whose Acme products fail in the rain.

Watching all of this, an entrepreneurial company Newco develops a product that competes with Acme, but it doesn't degrade in the rain.

All of the Congresspersons who got elected with Acme lobbyist money come down on Newco like a ton of bricks, regulating the industry in such a way that Newco's compliance costs exceed its product costs by 10x, while Acme easily meets all regulatory requirements.

Bottom line: beware of lobbyists bearing grafts.



More information about the cryptography mailing list