• Banks are a key target for hackers, and finance hub New York aims to set first state regulations in this space
  • While the cyber regulatory landscape continues to shift, companies should constantly analyze and update security measures as compliance does not guarantee security

In a move to join the growing list of regulators involved in the US cybersecurity space, the New York Department of Financial Services announced earlier this month that it is considering new cybersecurity regulation for financial institutions. This follows a series of actions taken by several agencies in recent months to set new standards for data protection, including the Federal Financial Institutions Examination Council issuing their cybersecurity assessment tool in June, the National Institute of Standards and Technology Cybersecurity Framework update in July, the development of the Cybersecurity Information Sharing Act in the US Senate, and FFIEC’s latest guidance.

New York Superintendent of Financial Services Anthony J. Albanese delivered the news and sought input from 17 fellow regulators in a Nov. 9 letter. The Department is seeking to enact requirements that firms conduct mandatory annual audits, enhance identity authentication for key databases, adhere to new incident notice standards, and have single executive charged with managing their information security, among others.

On Nov. 3, FFIEC warned that banks are increasingly likely to suffer extortion for payment in return for the release of sensitive information. “Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems,” the Council said in a statement. ‘Cyber-extortionists’ previously targeted exchanges and online casinos, and have recently turned their attention to the financial sector. FFIEC suggests that financial institutions cooperate with law enforcement when extorted, regularly test their incident-response plans, and share information within the industry and other companies beyond the financial sector.

Currently, states have yet to set rules in this space. While cyber-extortionists are a top threat for financial institutions, a failed attempt in New York to create new safeguards would also impose significant costs in compliance and possibly litigation on banks.

Ideally, New York’s initiative would codify initiatives that companies should be taking voluntarily. For example, mandatory audits, increased security, and a point person for information security and incident responses are all action items that Arent Fox has suggested in previous alerts. The issues to watch in New York, as this situation will certainly affect similar decisions in other states, are (a) how New York shapes these concepts into feasible and effective practices for financial institutions, (b) the timeline for implementation, which will be accelerated by the nature of the daily, imminent threats against sensitive data, and (c) the implications for post-data breach litigation against companies subject to these requirements. Businesses must also continue to look beyond regulations to ensure they are prioritizing cybersecurity and not simply cyber compliance.