The New York Department of Financial Services (“DFS”) had announced in March of 2015 that as part of its plan to address a possible Cyber 9/11, it would revamp examinations of banks and insurance companies to incorporate new, targeted assessments of cybersecurity preparedness, and would consider steps to address the cybersecurity of third-party vendors.

On November 9, 2015, the DFS issued a letter to federal regulators and other interested parties proposing cyber security regulations to that effect. The proposal addressed, among other things, cybersecurity of third party vendors, technical requirements such as multi-factor authentication and notification requirements in the event of a cybersecurity incident.

In its letter, the DFS expressed its desire to coordinate efforts with federal and state agencies in creating a cyber security framework.  The DFS approach varies from the risk based approach taken earlier this by the FFIEC with its cybersecurity assessment tool (see our related post here). and the SEC with its cybersecurity guidance (see our related post here) for funds and advisers.

The DFS proposal would require regulated entities to:

  • implement and maintain a number of cybersecurity policies and procedures, including requirements for preferred terms to be included in agreements with third party service providers;
  • submit annual reports to the DFS;
  • perform periodic vulnerability assessments; and
  • designate a chief information officer (CISO) and employee personnel to perform what it calls core cybersecurity functions (identify, protect, detect, respond and recover).

The implication for financial institutions subject to supervision by the DFS, basically all New York State chartered banks, most U.S.-based branches and agencies of foreign banking institutions, and all insurance companies in New York, is a likely increase in costs to maintain the proposed administrative controls and in scrutiny over policies and procedures related to the management and maintenance of sensitive data.  There is no timeline on the proposed regulation.