On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from a sample of regulated banking institutions in 2013 and regulated insurers in 2013 and 2014, as well as risk assessments of financial institutions focused on cybersecurity conducted in 2014 and 2015. The letter indicates that NYDFS’s efforts and proposed framework are responsive to a demonstrated need for increased cybersecurity regulations for financial institutions.

NYDFS first outlines twelve focus areas in which it would require covered entities to implement and maintain policies and procedures: information security; data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; systems and network security; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; and incident response, including setting clearly defined roles and decision making authority.

Due to the industry’s reliance on third-party service providers for critical banking and insurance functions, NYDFS proposes that covered entities shoulder the responsibility to implement policies and procedures for contracts with these providers to ensure information security, including:

  1. The use of multifactor authentication to limit access to sensitive data and systems;
  2. The use of encryption to protect sensitive data in transit and at rest;
  3. Notice to be provided in the event of a cybersecurity incident;
  4. The indemnification of the covered entity in the event of a cyber security incident that results in loss;
  5. The ability of the entity or its agents to perform cyber security audits of the third-party vendors; and
  6. Representations and warranties by the third-party vendors concerning information security.

NYDFS also pinpoints three categories of access in which covered entities should implement multifactor authentication: customer access to web applications that capture or display confidential information, privileged access to database servers that allow access to confidential information, and any access to internal systems or data from an external network.

New York already has a state breach notification law, but NYDFS seeks to impose additional notification requirements for covered entities following cybersecurity incidents that pose “a reasonable likelihood of materially affecting the normal operation of the financial institution.” Under the framework, a covered entity would be required to “immediately” notify NYDFS following an incident that would trigger notification under New York data breach notification law, as well as any incident that results in notification of the entity’s board, or involves the compromise of “nonpublic personal health information” and “private information” as defined under New York law, including payment card information or any biometric data. “Immediately” and “nonpublic personal health information” are both undefined

The proposed framework additionally emphasizes a covered entity’s need to minimize risks from unprotected or poorly protected third parties and implement a dynamic and responsive cybersecurity infrastructure. It calls for covered entities to designate a Chief Information Security Officer (CISO) and personnel to create a response team that can identify, protect, detect, respond, and recover data security, though a covered entity may create its response team from third parties.

Importantly, NYDFS seeks policies and procedures for application security and mandatory annual penetration testing with quarterly vulnerability assessments and maintenance of a robust audit trail system that would include logging privileged user access to critical systems; protecting log data stored as part of the audit trail from alteration or tampering; protecting the integrity of hardware from alteration or tampering; and logging system events, including access and alterations made to audit trail systems.

NYDFS seeks input from a variety of stakeholders, including other regulatory agencies, prior to proposing final regulations for the financial industry. Though it is likely NYDFS will promulgate rules in 2016, this guidance builds upon the surveys, reports, and investigations NYDFS has conducted since 2013. The proposed obligations address key cybersecurity concerns expressed by many regulators, including encryption, secure remote access, incident response preparedness, and appropriate vendor oversight. The NYDFS letter signals that regulations are imminent and that covered entities should continue to assess the state of their security and privacy infrastructure to prepare for the heightened cybersecurity requirements that these regulations will require.