Why it matters

Stating that the New York Department of Financial Services believes cybersecurity to be one of the most critical issues facing the financial world today, the agency sent a letter to state and federal regulators outlining potential new cybersecurity regulation requirements. The proposed regulations would require regulated entities to adopt cybersecurity policies with respect to their own operations as as well third-party service providers. The regulations would also require regulation entities to appoint a chief information security officer, conduct an annual security audit and immediately notify DFS of significant cybersecurity incidents.

In addition to outlining proposed regulations, the letter may signal DFS's expectations with respect to cybersecurity programs, even absent formal rulemaking.

Detailed discussion

Seeking regulatory convergence for potential new cybersecurity regulations, the New York Department of Financial Services (DFS), which regulates banks and insurance companies in the state, reached out to other financial services regulators in the financial services industry, including the Office of the Comptroller of the Currency, the Federal Reserve Board of Governors, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, and the National Credit Union Administration, among others.

The announcement follows multiple DFS surveys concerning regulated banks and insurers to gain insight about their cybersecurity programs, costs, and future plans.

Encouraging other regulators to provide feedback and insight, the DFS set out the key regulatory proposals currently under consideration.

Cybersecurities Policies. Covered entities would be required to implement and maintain written cybersecurity policies and procedures addressing 12 areas: information security; data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; systems and network security; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; and incident response, including by setting clearly defined roles and decision-making authority.

Third-Party Providers. With regard to third-party service provider management, the DFS said that the written policies and procedures in this area would be required to include "internal requirements for minimum preferred terms to be included in contracts with third-party service providers." Provisions would cover topics such as the use of encryption to protect sensitive data in transit and at rest, the indemnification of the entity in the event of a cybersecurity incident that results in loss, and representations and warranties by the third-party vendor concerning information security.

Multifactor Authentication. In the letter, the DFS emphasized the importance of multifactor authentication: "The Department believes that any regulation that establishes cyber security program requirements for covered entities should also address the use of multi-factor authentication as it applies to (i) customer access to web applications that captures or displays confidential information; (ii) privileged access to database servers that allow access to confidential information; and (iii) any access to internal systems or data from an external network."

Other Requirements. The proposal contemplates that each covered entity would be required to designate a qualified employee to serve as Chief Information Security Officer, conduct annual testing and audits, and would need to immediately notify the DFS of any cybersecurity incident "that has a reasonable likelihood of materially affecting the normal operation of the entity."

To read the letter from the DFS, click here.