Last week, the New York State Department of Financial Services (the Department) issued a set of proposed cybersecurity requirements for financial institutions. The proposal is a continuation of the Department's efforts to strengthen cybersecurity practices of the financial sector. Over the past two years, the Department conducted surveys of regulated banking organizations regarding their cybersecurity programs, including third-party vendor management programs and issued reports with the survey findings.

The Department identified several concerns resulting from these reports: (i) companies continue to be challenged by the speed of changing technologies and the increasingly sophisticated nature of cyber threats; (ii) third-party vendors pose certain security risks, given their access to sensitive data; and (iii) cybersecurity is a "global concern that affects every industry at all levels." These conclusions have led the Department to consider implementing new cybersecurity regulations for financial institutions.

Specifically, the Department proposes that financial institutions be required to:

  • implement and maintain written cybersecurity policies and procedures
  • implement and maintain third-party vendor management programs
  • implement multi-factor authentication for all access to internal systems and data from an external network
  • designate a Chief Information Security Officer (CISO)
  • maintain written procedures to address application security
  • employ personnel to manage cybersecurity risks and perform core cybersecurity functions
  • conduct annual pen testing and quarterly vulnerability assessments
  • immediately notify the Department of any cybersecurity incident that "has a reasonable likelihood of materially affecting the normal operation of the entity," including any cybersecurity incident where:
    • other notice provisions under New York law are triggered;
    • the entity's Board of Directors is notified; or
    • "nonpublic personal health information" and "private information," payment card information or any biometric data is compromised.

The proposed notification requirement is significant because it potentially imposes broader notice obligations on entities than is currently required under state laws. For example, if an entity chooses to notify its Board of Directors of a cybersecurity incident but is not otherwise obligated to notify state regulators or affected individuals under state law, the entity would nonetheless have to notify the Department under its new proposal.

The proposal further emphasizes the increasing view of regulators and policymakers that cybersecurity is a risk management process that should be addressed and implemented at the enterprise level.

The Department clarified that the proposed requirements are not exhaustive and are subject to further revision as discussions continue. Read the complete list of proposed requirements.