If you’re a CISO living in New York get ready for the phone calls!!! On September 13, 2016, Governor Andrew M. Cuomo proposed the nation’s first cybersecurity regulation. Starting on September 28, 2016 there is a limited 45 day window of opportunity for financial institutions and interested parties to submit public comments before the regulations become final.
Here are the top ten reasons why CISOs in New York will be busier than ever if the regulations are finalized:
10. If you are a financial institution regulated by the New York Department of Financial Services (“NYDFS”), you are REQUIRED to comply with these new cybersecurity regulations. It is not a “reasonable efforts” or “best practices” standard; it is mandatory. This includes banks, insurance companies, mortgage companies, lenders, and money services companies.
9. Regulated financial institutions must designate a qualified individual to serve as Chief Information Security Officer (“CISO”). The CISO must report directly to the Board at least two times a year (a) identifying cyber risks; (b) assessing confidentiality, integrity and availability of information systems; (c) evaluating the effectiveness of the cybersecurity program; and (d) proposing steps to remediate any cybersecurity inadequacies.
8. Regulated financial institutions must develop written policies and procedures for third-party vendors with access to nonpublic information, very broadly defined under Section 500.01(g).
7. Regulated financial institutions must establish a cybersecurity program and adopt a written cybersecurity policy which includes procedures for protecting: (a) information security; (b) data governance and classification; (c) access controls and identity management; (d) disaster recovery; (e) network security; (f) application development; (g) customer data privacy; (h) vendor management; (i) risk assessments; and (j) incident responses.
6. CISOs are required to conduct due diligence on third-parties to evaluate whether they have adequate cybersecurity practices. CISOs are also required to perform periodic assessments, at least annually, of third parties.
5. Regulated financial institutions must implement multi-factor authentication for individuals who have access to internal systems or to support functions.
4. Annual penetration testing and vulnerability assessments must be included in the financial institution’s cybersecurity program.
3. Encryption is required for all nonpublic information held or transmitted by the financial institution. For transit data, there is one year to implement the encryption safeguards. For data at rest, there is a five year window to implement the encryption safeguards.
2. Regulated financial institutions must establish a written incident response plan which effectively responds to a cybersecurity event. Section 500.16 of the proposed regulations provides seven areas that must be included in the incident response plan, including remediation of any identified weaknesses.
1. Finally, under Section 500.17, regulated financial institutions are required to notify the superintendent of any Cybersecurity Event that has a “reasonable likelihood of materially affecting the normal operation” or “that affects Nonpublic Information.” The notification must be made within 72 hours “after becoming aware” of such a Cybersecurity Event. Additionally, the regulated financial institutions must annually submit a written statement by January 15th certifying that the institution is in compliance with the Cybersecurity regulations.
There are limited exemptions to many of these requirements, such as having fewer than 1000 customers and less than $5 million in gross annual revenues, but given these regulations are directed at NYDFS regulated entities, it is unlikely that many financial institutions will fall within these exemptions.