The new cybersecurity rules proposed by the New York State Department of Financial Services require financial services institutions to have extensive cybersecurity protections in place; including cybersecurity programs, policies, personnel, risk assessments, trainings, and breach reporting within 72-hours.
As we recently reported, the New York State Department of Financial Services (DFS) issued a set of proposed cybersecurity rules for New York financial services companies (Rules), in response to the many high profile cybersecurity breaches and hacks over the past few years. The Rules set minimum standards for financial services companies in an effort to keep their sensitive financial data and systems, and their customers' personal information, safe from breach and from cybercriminals. While many financial institutions already have robust cybersecurity programs which may be similar to the minimum standards set by the Rules, the Rules will also require each institution to jump through at least a few additional hoops, such as conducting audits, regularly certifying their compliance, and appointing a Chief Information Security Officer.
Who is covered under the Rules?
The Rules apply to almost all individuals, partnerships, and corporations operating in the banking, insurance and other financial services industries within New York and regulated by the DFS. They require all entities that are operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws to meet the minimum standards set forth. See § 500.01(c). This includes state-chartered commercial banks and state-licensed branches and agencies of foreign banks.
However, the Rules include limited exemptions for smaller entities. Entities with fewer than 1,000 customers, less than $5M in gross annual revenue, and less than $10M in total assets (including affiliates) are exempt from the requirements involving the maintenance of specific cybersecurity personnel and conducting trainings, audits, and vulnerability tests. See § 500.18(a).
What do the Rules require?
- Program: Establishment and maintenance of a cybersecurity program. See § 500.02. As well as certain measures described in more detail below, the program must include:
- An infrastructure to protect the company's sensitive information systems and private information from unauthorized access, use, and malicious attacks;
- A mechanism for detecting unauthorized access, or attempted breaches, of the information systems, terminating the detected breaches, and recovering from breaches; and
- An adherence to all regulatory reporting obligations.
- Policy: Maintenance of a written cybersecurity policy. See § 500.03(a). he policy must be reviewed annually by the board of directors and approved by a senior officer responsible for compliance or information services security. See § 500.03(b). The cybersecurity policy must address:
- Security measures currently in place to protect the information systems and customer data privacy;
- Procedures to maintain, monitor, and update the information systems and networks, including management of third-party service providers;
- Assessments of the information systems' security risks and operations concerns; and
- Procedures to respond and recover from security breaches.
Encryption: Encryption of all nonpublic information in transit and at rest unless infeasible. See § 500.15.
Multi-Factor Authentication: Employment of multi-factor and risk-based authentication for logging into information systems. See § 500.12.
Application Security: Adoption of procedures (with annual reviews) for secure development practices for all in-house developed application and assessment and security testing of all externally developed applications. See § 500.08.
Third Party Information Security: Implementation of written policies and procedures regarding the security of the company's information systems and nonpublic information that are accessible by third parties doing business with the company. See § 500.11.
Data Retention Limitations: Implementation of policies and procedures for the timely destruction of any nonpublic information. See § 500.13.
Testing and Risk Assessment: Testing of the company's cybersecurity program and assessment of risks to the company's information systems. See §§ 500.05; 500.09. The testing must include a quarterly vulnerability assessment in addition to an annual penetration test. A formal risk assessment report, evaluating and categorizing the identified risks, must also be drafted annually.
Personnel: Retention of cybersecurity personnel. See §§ 500.04; 500.10. Specifically:
Appointment of a Chief Information Security Officer, who is responsible for:
implementing the cybersecurity program and enforcing the cybersecurity policy, and
drafting a biannual report detailing the integrity of the information systems and cybersecurity program and summarizing any security breaches and attempts that occurred; and
- Employment of a cybersecurity team to manage the cybersecurity program and run the day-to-day cybersecurity functions.
- Training: Implementation of and attendance by cybersecurity personnel at cybersecurity trainings. See §§ 500.10(2); 500.14. The cybersecurity team must attend regular cybersecurity trainings to keep updated on ever-changing cybersecurity threats and countermeasures. Additionally, all employees must attend cybersecurity awareness training sessions.
- Access Privileges: Limitation and periodic review of access privileges to the company's information systems solely to those individuals who need access as part of their roles. See § 500.07.
- Audit Trail: Maintenance of an audit trail system to track and log all financial transactions. See § 500.06.
- Incident Response Plan: Establishment of a written incident response plan designed to promptly respond to and recover from a cybersecurity breach. See § 500.16.
- Reporting and Certification: Reporting serious cybersecurity breaches to the Superintendent of Financial Services within 72 hours. See § 500.17. Additionally, each financial services company must annually certify that it is in compliance with the new regulations. See § 500.17. A model certification of compliance is attached as Appendix A of the Rules.
When will the Rules become effective?
The Rules are set to be published in the New York State register on September 28, 2016, after which they will enter a 45-day notice and public comment period prior to final issuance. See Press Release. The Rules become effective as of January 1, 2017. See § 500.20. However, financial institutions covered by the Rules will have 180 days to comply with the new requirements. See § 500.21.
The Rules are publicized as the first of their kind in the country and initial reactions to them have varied. Some believe they will have a minimal impact on large financial services institutions which already invest heavily in sophisticated cybersecurity programs but will be most harshly felt by smaller companies, which could have to pay upwards of millions of dollars to update their cybersecurity programs to meet the minimum requirements. Others see the Rules as a welcome effort to increase the overall level of cybersecurity in critical industries that face ever-increasing risks of cybercrime and cyberterrorism. The overall effectiveness of the Rules can only be speculated at this point. However, what is likely is that other states and even the federal government may adopt similar regulations in the near future.
As for implementing the Rules, the Federal Financial Institutions Examination Council ("FFIEC") has issued extensive material on cybersecurity awareness but has not put that guidance into the form of a regulation. A covered institution might want to refer to this FFIEC guidance in implementing the Rules.