Recently, New York’s Department of Financial Services and Gov. Andrew Cuomo released their long-awaited proposal for cybersecurity regulations regarding banking and financial services companies. The proposal, if implemented, would be the first mandatory state-level regulations on cybersecurity and promises to deliver sweeping protections to consumers and financial institutions alike. In Gov. Cuomo’s words: "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible."
Most agree that cyber risk is a growing threat and more needs to be done in terms of regulation and legal controls to help protect our sensitive data. However, New York’s new proposal has garnered mixed reviews and even drawn some criticism. Some argue that the proposed regulations are too stringent and prescriptive, which in turn would hurt businesses by adding significant costs and alienating smaller institutions. Take a look at the details of this proposal and see where you stand on the issue.
Scope of New York Cybersecurity Regulations
The proposal is very broad. It covers any individual or entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws. Smaller entities have some exceptions, but are still expected to comply with many of the regulation's requirements. This would also include state-chartered and foreign banks licensed to operate in the state, including Goldman Sachs Group, Barclays and Deutsche Bank, and all insurance companies that do business in the state.
Key Elements of New York CyberSecurity Regulations
- Establishment of a Cybersecurity Program
- Adoption of a Written Cybersecurity Policy
- Mandatory Chief Information Security Officer
- Cybersecurity Training for Employees
- Third-Party Service Providers Risk
- Incident Monitoring and Reporting
- Information Security Audits
Important Dates for New York Cybersecurity Regulations
Comments & Feedback on the Proposal are due: November 12, 2016.
The Proposal, unless modified, would become effective: March 1, 2017.
Companies then have a 180-day grace period for compliance and the final deadline to comply with guidelines: September 30, 2017
1. Establishment of a Cybersecurity Program
The regulation requires companies to have a Cybersecurity program which:
- Identifies cyber risks (internal or external)
- Creates a defensive infrastructure to protect covered information
- Detects "cybersecurity events" such as a breach
- Fulfills regulatory reporting obligations
- Provide responsiveness to identified cybersecurity events to mitigate any negative events
- Recovery from cybersecurity events and restoration of normal operations and services.
2. Adoption of a Written Cybersecurity Policy
Regulated financial institutions must adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems, including:
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
3. Chief Information Security Officer
Regulated institutions must designate a qualified individual to serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program, with role responsibilities including:
- Identification of cyber risks
- Assessing the efficacy of the organization's cybersecurity program
- Proposing steps to remediate any inadequacies identified
- Assessment of the confidentiality, integrity and availability of information systems
- Detailing exceptions to cybersecurity policies and procedures
4. Cybersecurity Training for Employees
The proposed regulation further requires companies to employ cyber security personnel to manage the program, as well as to provide for mandatory and regular cybersecurity education and training.
5. Third-Party Service Providers' Risk
Regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:
- Identification and risk assessment of third-parties with access to data
- Minimum cybersecurity practices required to be met by such third-parties
- Due diligence processes used to evaluate the adequacy of cybersecurity practices
- Periodic assessment, at least annually, of third-parties and their continued security
6. Incident Monitoring and Reporting
When a "cybersecurity event" such as a breach occurs, the proposed regulation requires companies to notify the Department within 72 hours.
7. Information Security Audits
At least annually, each Covered Entity shall conduct a risk assessment of the Covered Entity’s Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and documented in writing. The regulations would require the board of directors to annually review the company’s cybersecurity program and provide a ‘Certification of Compliance’ with the NYDFS Cybersecurity Regulations.
Additional Requirements Include:
- Risk assessment of the security, integrity, and availability information systems
- Penetration testing and vulnerability assessments
- Multi-factor authentication for individuals accessing internal systems
- Encryption of all nonpublic information held or transmitted
- Timely destruction of nonpublic information that is no longer necessary for business
This is a simplified, high-level summary of New York’s proposed cybersecurity requirements for financial services companies. The NY State Government provides summarized and full versions of the proposal here: Summarized Version / Full Version
On December 28, 2016, the New York State (NYS) government published the updated “Cybersecurity Requirements for Financial Service Companies” (23 NYCRR 500) following public input on its predecessor proposal. While the most obvious change is that the regulation’s effective date has been moved from January 1, 2017 to March 1, 2017, the Department of Financial Services (DFS) notes that Sections 500.11, 500.15, 500.21 and 500.22 were also substantially altered. Equally telling are the revisions that remain unchanged, which for Covered Entities are as important as what is new.
In a further demonstration of how critical risk assessment is, the Department explicitly reiterated that compliance with various provisions will be dependent on Section 500.9 Risk Assessment. The affected requirements include the Cybersecurity Program, Cybersecurity Policy, (annual) Penetration Testing and (biannual) Vulnerability Assessments, Access Privileges, Third Party Service Provider Security Policy, Multi-Factor Authentication, Encryption of Nonpublic Information and Training and Monitoring. In evaluating Covered Entities, DFS is unequivocal that "Risk Assessment is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.” Therefore, the integrity of an organization’s risk assessment is the central tenet for compliance with 23 NYCRR 500. As pointed out in our first webinar, internal and external assessments are essential for effective compliance.
In spite of concerns that certain definitions were too broad and could be overly burdensome to comply with, DFS chose to retain some in their present form - Cybersecurity Event, Information System, Publicly Available Information - while Nonpublic Information and Risk Assessment were altered and added. It is especially noteworthy that the definition of "Cybersecurity Event" is unchanged, as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. Companies are required to not only be able to detect, evaluate, document, respond and recover from such events but also have to notify New York’s Superintendent of Financial Services within 72 hours after determination.