On November 9, the New York Department of Financial Services (“NYDFS”), publicly released a letter that Acting Superintendent Anthony Albanese sent to certain federal and state banking, securities and insurance regulators1 outlining a set of potential new regulations under consideration at NYDFS aimed at increasing cybersecurity defenses within the financial sector.
This letter noted three broad conclusions and concerns resulting from surveys and risk assessments undertaken by NYDFS in 2013 and 2014 of almost 200 of its regulated banking organizations and insurance companies:
- First, although noting that financial institutions have taken significant steps to bolster cybersecurity efforts in recent years, NYDFS believes companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats, and that cybersecurity programs must remain dynamic to keep pace with this fast-changing landscape.
- Second, there are significant risks presented by third-party service provider access to a financial institution’s systems and sensitive data. This serves as a potential point of entry for hackers, and a financial institution’s sophisticated system and controls may be ineffective if its service provider has weak controls.
- Finally, NYDFS believes the scale and breadth of recent breaches and incidents demonstrate that cybersecurity is a global concern that affects every industry at all levels.
Given these concerns, NYDFS believes that robust regulatory action in the cybersecurity space is needed and announced that it was now considering new cybersecurity regulation for financial institutions. The letter invites the addressed state and federal regulators to work with NYDFS to develop a comprehensive cybersecurity framework.
The areas in which NYDFS is currently considering regulatory proposals include:
- Written cybersecurity policies and procedures that covered entities would be required to implement and maintain;
- Implementation and maintenance of policies and procedures to ensure the security of sensitive data or systems accessible to or held by third party service providers;
- Multi-factor authentication requirements for customer access to web applications, privileged access to database servers with confidential information or any access to internal systems or data from an external network;
- Designation of a qualified employee of a covered entity as the entity’s Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policies;
- A requirement that covered entities maintain and implement written procedures, guidelines and standards designed to ensure the security of all applications used by the entity;
- Employment of personnel adequate to manage the entity’s cybersecurity risks and perform the core cybersecurity functions of “identify, protect, detect, respond and recover”;
- Requirements for covered entities to conduct annual penetration testing and quarterly vulnerability assessments, and to maintain an audit trail system; and
- Immediate notification of NYDFS of any cybersecurity incident that has a reasonable likelihood of materially affecting the normal operation of an entity.
A copy of the NYDFS letter is available here:
Consistent with other recent developments in the area of cybersecurity, this letter highlights growing regulatory concern with the cyber preparedness of financial institutions and reflects the recognition that regulated entities, their customers and the public more generally will benefit from a coordinated regulatory approach to these issues. In any event, this letter clearly suggests that NYDFS views these issues as important and in need of robust regulatory response action. In addition, while the NYDFS is seeking cooperation among the various regulators, it may also be ready and willing to act in the near term on its own. To this end, the letter states that NYDFS “welcomes the opportunity to work with other regulators to develop a comprehensive approach to cybersecurity regulation in the weeks and months ahead” [emphasis added]. More generally, we expect the area of cybersecurity-related regulation to continue to develop at a rapid pace, particularly for financial institutions, and in light of the complex regulatory framework, we expect regulatory coordination to evolve on an iterative basis. In any event, financial institutions that are subject to NYDFS’s jurisdiction should prepare themselves for increased oversight and reporting with respect to cybersecurity matters.