Could New York's Cybersecurity Regulation Affect Other States’ Virtual Currency Businesses?
On March 1, 2017, New York’s cybersecurity regulation (23 NYCRR Part 500) went into effect statewide. The rules, which were originally established in 2015 as a method to combat the flood of cybercrimes and increase consumer confidence, set a new standard for companies in the financial services industry within the state. On April 9, 2017, Maria Vullo, superintendent of the New York Department of Financial Services (DFS), suggested that New York’s cybersecurity regulation should be the model for the US when she proposed that all states should operate on a "consistent framework" and the "New York regulation is a road map with rules of the road."
However, if implemented nationwide, similar regulations could negatively impact virtual currency companies and blockchain-based fintech startups. They would be required to complete a number of tasks, such as establishing written cybersecurity policies, conducting annual penetration tests, conducting quarterly vulnerability assessments, implementing multi-factor or risk-based authentication, hiring a chief information security officer, encrypting nonpublic information, and establishing an incident response plan.
Due to the rigorous BitLicense pre-requisite, virtual currency companies fall under the class of “Covered Entities” and therefore must abide by the state’s strict cybersecurity requirements. The burden imposed by these regulations can already be seen in New York’s virtual currency/blockchain community. When the regulation went into effect on August 8, 2015, a number of bitcoin companies announced their departure from the state. Since then, only a small number of firms have obtained the license and this has led to much debate and controversy in the blockchain community.
In 2015, software developer and entrepreneur Theo Chino filed a lawsuit challenging the BitLicense due to its costliness. However, this isn’t shocking, as New York imposes strict limitations and even budding blockchain startups or “Non-Exempt Covered Entities” must meet the following requirements:
- Have less than 10 employees (including independent contractors), or
- Generate less than $5,000,000 in gross annual revenue (for the past three fiscal years from New York business operations), or
- Have less than $10,000,000 in year-end total assets (calculated using generally accepted accounting principles, including assets of affiliates).
Cybersecurity remains one of the key problems facing the fintech industry, and solutions should be considered because investors only invest when it’s safe. The nationwide implementation of a New York-influenced cybersecurity model could be good for the fintech industry in the long run but may be bad for virtual currency and blockchain businesses in the short run.