New York Proposes New Cybersecurity Regulations for Financial Institutions
Financial Institutions Law Update 10/11/16 James I. Kaplan, Moein M. Khawaja
Responding to a spate of recent data breaches at financial institutions and other hacking events at large corporations, the New York State Department of Financial Services (NYDFS) has proposed new cybersecurity regulations for financial institutions, insurance companies, and other financial services firms. Following the September 28, 2016 publication in the New York State Register, 38-days remain to submit comments on the plan before it becomes final. The new regulations go into effect January 1, 2017 and covered entities will have 180-days to comply thereafter.
The new regulations will apply only to financial institutions (Covered Entities) licensed by New York (which includes state-chartered banks and foreign banks operating in the state) and not federally chartered institutions. But as the first state to issue such guidelines and New York’s central role in the global financial system, the NYDFS can set a precedent followed by other regulators and perhaps influence industry standards. Large banks and insurance companies are likely already in compliance, but smaller New York banks, credit unions, and insurers will have to move quickly to bring their cyber-security programs up to the regulatory standard. This blanket approach may be subject to comment and criticism.
The regulations will apply to all “nonpublic information,” broadly defined to include (1) anything that would cause, if breached, a material adverse impact on a business’s operations; (2) any information an individual provides in connection with seeking a financial product; (3) certain health information; and (4) any information which can trace an individual’s identity—in other words, nearly all information provided to and held by the financial and insurance industry. These broad definitions may be refined in response to the public comment period.
The proposed rules address and require the following:
- A cybersecurity program designed to ensure the confidentiality, integrity, and availability of information systems. The program must identify risks, implement policies and procedures to protect against malicious acts and unauthorized use, detect cybersecurity events, respond effectively to such events with proper mitigation, and enable recovery from cybersecurity events.
- A detailed cybersecurity policy setting forth policies and procedures for the protection of information systems and nonpublic information.
- A Chief Information Security Officer (or CISO) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO must report to the board at least bi-annually.
- Oversight of vendors and other third party service providers. Covered entities must ensure their vendors meet minimum cybersecurity practices by conducting due diligence and periodic annual assessments. These minimum standards for vendors are similar to, but less stringent than, the standards imposed on Covered Entities by the new regulations, and, importantly, Covered Entities bear the responsibility of vendor compliance. This requirement of the new regulations will likely prove to be the most challenging, as third party vendors can often produce the greatest cybersecurity risk.
- Additional requirements, including annual penetration testing and vulnerability assessments, reviews of employee access privileges, employee training, destruction of unnecessary information, encryption of all nonpublic information while stored “at rest” and during transmission, and numerous other requirements.
Covered Entities must annually certify compliance with the new regulations. Moreover, they must notify the New York Superintendent of Financial Services in the event of any cybersecurity event within 72 hours, including any unauthorized attempts, even if such attempts are not successful. The 72 hour window may be well within the time frame before the Covered Entity even understands the full nature an incident.
It remains to be seen which of these requirements can be automated, and which will require significant increases in personnel or consulting services. In addition to the CISO, additional personnel or appropriate third parties will be required to review employee access privileges, conduct trainings, determine which information should be destroyed or retained, and conduct oversight on vendors, among other things. A shortage of cybersecurity professionals may pose additional challenges. Moreover, relationships and associated agreements with vendors may have to be modified to include additional indemnities, representations, and warranties. Nevertheless, although compliance costs may increase, these costs will likely prove to be a very small price to pay if they are successful in prevention of cybersecurity events and a standardization of industry practices. As the financial industry moves closer and closer to becoming entirely digitized, it is imperative that cybersecurity policy stays a step ahead of new technological developments. New York has recognized this need, and it is likely other jurisdictions will follow.