New York Department of Financial Services (NYDFS) Issues “First-In-The-Nation” Cybersecurity Regulations; Office of the Comptroller of the Currency (OCC) Bank Supervision Plan Lists Cybersecurity as a Priority Objective
NYDFS Issues "First-In-The-Nation" Cybersecurity Regulations
On September 13, 2016, New York Governor Andrew Cuomo unveiled a proposed regulation mandating cybersecurity requirements for financial services companies regulated by the New York Department of Financial Services (NYDFS). The public has 45 days to comment on the proposed regulation before it becomes final and requires banks, insurance companies and financial institutions to comply with a host of requirements. The press release states the proposal "includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances." In 2015, we previewed this proposal.
The proposed regulation mandates a number of items including: 1) the establishment of a cybersecurity program 2) the adoption of a cybersecurity policy 3) mandates the designation of a Chief Information Security Officer (CISO) 4) the creation of a program to review the security of third party service providers. It also includes detailed and specific requirements of a cybersecurity program including: annual risk assessments; annual penetration testing and vulnerability assessments; certain procedures (e.g., application security) and standards (e.g., multi-factor authentication and review of access privileges); encryption of all non-public information "held or transmitted;" incident response plans; training; and many others.
Various aspects of the plan appear to track existing federal standards including aspects of the National Institute of Standards and Technology (NIST) access controls, however it includes other new requirements as well and will create minimum regulatory standards for those regulated by the NYDFS.
OCC Issues FY17 Bank Supervision Operating Plan: Cybersecurity Core to Oversight and Examinations
On September 14, 2016 the Office of the Comptroller of the Currency (OCC) also released its Bank Supervision Operating Plan (the Plan) for FY2017 with cybersecurity oversight at the heart of its Large Bank; Midsize and Community Bank and Technology Service Provider supervision requirements. Cybersecurity is core issue within Operational Risks to the institutions. The ability to assess the "evolving cyber threat environment and banks’ cyber resilience," information security, data protection, third party risk management are included in the continued oversight.
In the case of Midsize and Community Banks the Plan states that "Examiners will continue to use the Cybersecurity Assessment Tool at banks not examined in FY2016 and follow up on any gaps identified in FY2016." Ultimately, making it clear from the OCC that it will continue to follow-through on examinations for all entities and making it also clear they expect all regulated entities to be rectifying any issues identified in recent exams.
Consistent with the OCC's interest in the new technology being used by banks, the OCC will conduct focused examinations, "typically conducted on an interagency basis with the FDIC and the FRB" on technology service providers for cybersecurity; enterprise risk management; third party risk management, change management and product-and-service specific risks.