The New York State Department of Financial Services (NYSDFS) recently unveiled its cybersecurity regulation for financial services companies, which takes effect on January 1, 2017. This regulation applies to every banking and financial services entity licensed or chartered by NYSDFS, including all foreign branches, agencies, representative offices and commercial lending companies licensed in New York state. The significant new requirements include:
- Establishment and maintenance of a systemic cybersecurity program
- Establishment and maintenance of a written cybersecurity policy
- Designation of a chief information security officer
- Annual risk assessment of information systems
- Implementation of a third-party information security policy
- Installation of multi-factor authentication
- Encryption of non-public information transmitted by the entity
- Destruction of non-public information retained by the entity
- Annual training
Cybersecurity program: Each institution organized pursuant to NYSDFS will need to establish a cybersecurity program to ensure the confidentiality and integrity of the entity’s information systems. The program must be designed to perform various functions, such as:
- Identifying internal and external cyber risks by identifying non-public information stored on the entity’s information system
- Using defensive infrastructure and implementing a cybersecurity policy to protect the non-public information from unauthorized access
- Detecting and responding to cybersecurity events to ensure the continuation of normal operations and services
The program will be subject to annual penetration testing and a quarterly vulnerability assessment. It must also establish an audit trail system that will allow for complete reconstruction of all financial transactions, to permit the detection and response to a cybersecurity event. The audit trail must be able to track and maintain data logging of all authorized users. It needs to protect the integrity of both the data stored and the hardware to prevent alterations, and must log system events to capture any access and alterations made. The program shall also limit access privileges solely to individuals who require such access to perform their job functions.
Cybersecurity policy: Each institution must produce a written cybersecurity policy, reviewed and approved annually by the board of directors and a senior officer. The policy must address 14 enumerated items, including security and monitoring of information systems and networks, data governance, access controls, business continuity, disaster recovery, physical security controls and data privacy.
Chief information security officer: Each institution will be required to either designate a qualified individual to serve as chief information security officer (CISO) or outsource the function to a third-party provider. The CISO must produce a biannual report assessing various attributes of the entity’s information systems, detailing any exceptions to the entity’s cybersecurity policy, assessing the effectiveness of the cybersecurity program and providing recommendations to remediate any deficiencies identified.
Annual risk assessment: Every year, each entity must document a risk assessment pursuant to the risk evaluation criteria established in the cybersecurity policy, and must also assess the adequacy of the information system.
Third-party information security policy: If an entity’s non-pubic information is accessible by any third party, the entity will need to implement a detailed third-party information security policy to protect such non-public information. The policy will require a due diligence process to be undertaken on the third party and an annual assessment of the adequacy of the third party’s cybersecurity practices.
Multi-factor authentication: Each entity must establish multi-factor authentication to gain access to its information systems. This is defined as authentication through verification of two of the following: a knowledge factor, such as a password; a possession factor, such as a token or text message on a mobile phone; and an inherence factor, such as biometric characteristics.
Encryption: Each entity must either encrypt all non-public information for transit or secure such information by alternative control, as approved by the CISO.
Destruction of non-public information: Each entity must establish policies and procedures for the timely destruction of any non-public information no longer necessary for the provision of services.
Annual training: The cybersecurity program must institute an annual training component for all personnel.
NYSDFS has included some limited exceptions to compliance with parts of this regulation, such as the risk assessment, but such exemptions will be available for relatively few entities.
Compliance officers should immediately review the details of this new regulation and commence the process of implementing the required cybersecurity program and policy. As of January 15, 2018, and every year thereafter, an entity's board of directors will be required to sign a certification that the entity was in full compliance with the regulation for the preceding year.