New York Cybersecurity Regulations Explained

Posted by Roane Holman

ny-cybersec-explained-05.png

Recently, New York’s Department of Financial Services and Gov. Andrew Cuomo released their long-awaited proposal for cybersecurity regulations regarding banking and financial services companies. The proposal, if implemented, would be the first mandatory state-level regulations on cybersecurity and promises to deliver sweeping protections to consumers and financial institutions alike. In Gov. Cuomo’s words: "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible."

Most agree that cyber risk is a growing threat and more needs to be done in terms of regulation and legal controls to help protect our sensitive data. However, New York’s new proposal has garnered mixed reviews and even drawn some criticism. Some argue that the proposed regulations are too stringent and prescriptive, which in turn would hurt businesses by adding significant costs and alienating smaller institutions. Take a look at the details of this proposal and see where you stand on the issue.

Scope:
The proposal is very broad. It covers any individual or entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws. Smaller entities have some exceptions, but are still expected to comply with many of the regulation's requirements. This would also include state-chartered and foreign banks licensed to operate in the state, including Goldman Sachs Group, Barclays and Deutsche Bank, and all insurance companies that do business in the state.

Key Elements of the Proposal:
1. Establishment of a Cybersecurity Program
2. Adoption of a Written Cybersecurity Policy
3. Mandatory Chief Information Security Officer
4. Cybersecurity Training for Employees
5. Third-Party Service Providers Risk
6. Incident Monitoring and Reporting
7. Information Security Audits

Important Dates:
Comments & Feedback on the Proposal are due: November 12, 2016
The Proposal, unless modified, would become effective: January 1, 2017
Companies then have a 180-day grace period for compliance
Final deadline to comply with guidelines: June 30, 2017

1. Establishment of a Cybersecurity Program
The regulation requires companies to have a Cybersecurity program which:
• Identifies cyber risks (internal or external)
• Creates a defensive infrastructure to protect covered information
• Detects "cybersecurity events" such as a breach
• Fulfills regulatory reporting obligations
• Provide responsiveness to identified cybersecurity events to mitigate any negative events
• Recovery from cybersecurity events and restoration of normal operations and services.

2. Adoption of a Written Cybersecurity Policy
Regulated financial institutions must adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems, including:
• Access controls and identity management
• Business continuity and disaster recovery planning and resources
• Capacity and performance planning
• Systems operations and availability concerns
• Systems and network security
• Systems and network monitoring
• Systems and application development and quality assurance

3. Chief Information Security Officer
Regulated institutions must designate a qualified individual to serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program, with role responsibilities including:
• Identification of cyber risks
• Assessing the efficacy of the organization's cybersecurity program
• Proposing steps to remediate any inadequacies identified
• Assessment of the confidentiality, integrity and availability of information systems
• Detailing exceptions to cybersecurity policies and procedures

4. Cybersecurity Training for Employees
The proposed regulation further requires companies to employ cyber security personnel to manage the program, as well as to provide for mandatory and regular cybersecurity education and training.

5. Third-Party Service Providers' Risk
Regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:
• Identification and risk assessment of third-parties with access to data
• Minimum cybersecurity practices required to be met by such third-parties
• Due diligence processes used to evaluate the adequacy of cybersecurity practices
• Periodic assessment, at least annually, of third-parties and their continued security

6. Incident Monitoring and Reporting
When a "cybersecurity event" such as a breach occurs, the proposed regulation requires companies to notify the Department within 72 hours.

7. Information Security Audits
At least annually, each Covered Entity shall conduct a risk assessment of the Covered Entity’s Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and documented in writing. The regulations would require the board of directors to annually review the company’s cybersecurity program and provide a ‘Certification of Compliance’ with the NYDFS Cybersecurity Regulations.

Additional Requirements Include:
• Risk assessment of the security, integrity, and availability information systems
• Penetration testing and vulnerability assessments
• Multi-factor authentication for individuals accessing internal systems
• Encryption of all nonpublic information held or transmitted
• Timely destruction of nonpublic information that is no longer necessary for business

This is a simplified, high-level summary of New York’s proposed cybersecurity requirements for financial services companies. The NY State Government provides summarized and full versions of the proposal here: Summarized Version / Full Version

To help you get started strategizing around coming regulations and to learn more about how to manage enterprise cyber risk, check out this free eBook: The Executive's Guide to Managing Cyber Risk

Topics: compliance, government, NY, Regulations

UpGuard Customers