On November 9, Anthony Albanese, Acting Superintendent of the New York Department of Financial Services (the NYDFS), sent a letter to the 18 members of the Financial and Banking Information Infrastructure Committee (the FBIIC) that outlines key regulatory proposals that NYDFS is considering as new regulations to increase financial sector cybersecurity defenses. The letter is written to “help spark additional dialogue, collaboration and, ultimately, regulatory convergence among [the NYDFS and FBIIC members] on new, strong cyber security standards for financial institutions.”
According to its website, the FBIIC “is chartered under the President's Working Group on Financial Markets, and is charged with improving coordination and communication among financial regulators, enhancing the resiliency of the financial sector, and promoting the public/private partnership.” FBIIC members include the Federal Reserve Board of Governors, the U.S. Department of the Treasury, the Securities and Exchange Commission (SEC), the National Association of Insurance Commissioners (NAIC), and other major federal and state securities and banking regulators.1 It is chaired by Treasury’s Assistant Secretary for Financial Institutions.
The NYDFS has not issued a formal Notice of Proposed Rule Making or even a discussion draft of a proposed regulation. Instead, it outlines in broad brushstrokes the Department’s expectations of what a potential regulation would require. The Department invites feedback but the tone of the letter and its timing (one week before the NAIC’s Fall National meeting) suggest that NYDFS intends to assume a leadership role in setting the agenda for robust cybersecurity regulation in the financial services sector, although the letter may be one of the few last major actions by the Acting Superintendent before he leaves office later this year.
The letter lists eight areas where potential regulations would have specific requirements for core cybersecurity functions: (1) cybersecurity policies and procedures, (2) third-party service provider management, (3) multi-factor authentication, (4) chief information security officers, (5) application security, (6) cybersecurity personnel and intelligence, (7) audits, and (8) notice of cybersecurity incidents.
(1) Cybersecurity Policies and Procedures
Each covered entity would be required to implement and maintain written cybersecurity policies and procedures that address:
(a) information security; (b) data governance and classification; (c) access controls and identity management; (d) business continuity and disaster recovery planning and resources; (e) capacity and performance planning; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and application development and quality assurance; (i) physical security and environmental controls; (j) customer data privacy; (k) vendor and third-party service provider management; and (l) incident response, including by setting clearly defined roles and decision making authority.
(2) Third-Party Service Provider Management: Preferred Contract Terms
The letter notes that third-party service providers often have access to sensitive data and to the financial institution’s systems, providing a potential point of entry for hackers. As a result, the proposal would require each covered entity to implement and maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third-party service providers.
The policies and procedures would need to include internal requirements for minimum preferred terms to be included in contracts with third-party service providers, including provisions requiring:
(a) the use of multi-factor authentication to limit access to sensitive data and systems; (b) the use of encryption to protect sensitive data in transit and at rest; (c) notice to be provided in the event of a cybersecurity incident; (d) the indemnification of the entity in the event of a cybersecurity incident that results in loss; (e) the ability of the entity or its agents to perform cybersecurity audits of the third-party vendor; and (f) representations and warranties by third-party vendors concerning information security.
(3) Multi-Factor Authentication
Each covered entity would be required, among other things, to implement multi-factor authentication for all access to internal systems and data from an external network.
(4) Chief Information Security Officer and Submission of Annual Report to NYDFS
Each covered entity would be required to designate a qualified employee as its Chief Information Security Officer (CISO). The CISO would be responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy. In a significant departure from current practice, and consistent with the bitcoin regulation recently adopted by the NYDFS, the CISO would also be required to submit to the NYDFS an annual report, reviewed by the entity’s board, that assesses the cybersecurity program and the cybersecurity risks to the entity.
(5) Application Security
Each covered entity would be required to maintain and implement written procedures, guidelines and standards reasonably designed to ensure the security of all applications utilized by the entity, and the CISO would be required to review and update all such procedures, guidelines and standards at least annually.
(6) Cybersecurity Personnel and Intelligence
Each covered entity would be required to employ personnel adequate to manage the entity’s cybersecurity risks and perform the core cybersecurity functions, i.e., identify, protect, detect, respond and recover. The entity would also be required to provide mandatory training to cybersecurity personnel and require key cybersecurity personnel to stay abreast of changing cybersecurity threats and countermeasures. Covered entities would be able to use third parties to meet these requirements.
Each covered entity would be required to conduct annual penetration testing and quarterly vulnerability assessments and would also be required to maintain an audit trail system that:
(a) logs privileged user access to critical systems; (b) protects log data stored as part of the audit trail from alteration or tampering; (c) protects the integrity of hardware from alteration or tampering; and (d) logs system events, including access and alterations made to the audit trail systems.
(8) Notice of Cybersecurity Incidents
Each covered entity would be required to immediately notify the NYDFS of any cybersecurity incident that has a reasonable likelihood of materially affecting the normal operation of such covered entity, including any cybersecurity incident:
(a) that triggers certain other notice provisions under New York Law; (b) of which the covered entity’s board is notified; or (c) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.
The letter notes the key regulatory proposals but does not contain a complete list of proposals under consideration by NYDFS. The letter also invites feedback from FBIIC members in an effort to “develop a comprehensive approach to cybersecurity regulation in the weeks and months ahead.”