Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York. While the letter is a request for comment from fellow regulators, it represents a preview of several cybersecurity measures that may soon be required of the financial industry. These measures focus on guaranteeing that banks and insurers establish and maintain a formal cybersecurity program, and hold third-party vendors accountable to following similar cybersecurity practices. Specifically, the letter asks for comment on eight proposed regulatory requirements:
- Cybersecurity Policies and Procedures: Banks and insurers would be required to maintain written, formal cybersecurity policies and procedures. These policies and procedures would address information security, privacy, data governance, access controls, incident response, and disaster recovery, among other areas.
- Third-Party Service Provider Management: Banks and insurers would be required to implement and maintain policies designed to ensure the security of sensitive data in the hands of vendors and other service providers. These would include preferred contractual terms requiring the use of multi-factor authentication, and encryption when handling sensitive data. These terms would also require notice of security events and the right to audit third-party service provider cybersecurity.
- Multi-Factor Authentication: Entities would be required to use multi-factor authentication to access confidential information from external networks.
- Chief Information Security Officer (CISO): Banks and insurers would be required to appoint a qualified CISO. CISOs would be obliged to submit an annual report to the Department of Financial Services assessing the cybersecurity program of their entity.
- Application Security: Entities would be required to establish and annually update written procedures, guidelines, and standards to ensure the security of the applications they use.
- Cybersecurity Personnel and Intelligence: Banks and insurers would need to hire, manage, and adequately train personnel qualified to perform core cybersecurity functions.
- Audit: Banks and insurers would be required to conduct annual penetration testing and quarterly vulnerability assessments. They would also be required to maintain an audit trail for privileged user access to critical systems and logs of system events.
- Notice of Cybersecurity Incidents: Banks and insurers would be required to immediately notify the Department of Financial Services of any cybersecurity incident with a reasonable likelihood of materially affecting the normal operation of the entity. This includes any incident that triggers other notification requirements, as well as incidents of which the entity’s Board is informed.
These proposals would impose significant requirements on the financial industry. While not officially proposed DFS regulations, the superintendent’s letter gives us a preview of the kind of requirements that are under consideration.