New York Department of Financial Services Issues Proposed Cybersecurity Regulations
Regulated Institutions to be Required to Establish Cybersecurity Program and Policies, Appoint CISO, and Certify Compliance
On September 13, 2016, the New York State Department of Financial Services (the “DFS”) issued proposed regulations requiring banks, insurance companies, and other financial services institutions regulated by the DFS (“Regulated Institutions”) to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity, and availability of the Regulated Institution’s information systems (the “Proposed Regulations”). The Proposed Regulations would also require Regulated Institutions to implement and maintain a written cybersecurity policy setting forth policies and procedures for the protection of their information systems and the nonpublic information stored therein. Starting January 15, 2018 and annually thereafter, Regulated Institutions would be required to submit a certificate, of the Board chairperson or a senior officer, to the DFS attesting compliance with the Proposed Regulations.
The Proposed Regulations reflect the New York financial regulator’s intense interest in cybersecurity practices and policies of Regulated Institutions, including a recent expansion of its use of cybersecurity topics and questions in examinations of banking institutions.1 The DFS has also conducted industry surveys to understand the existing cybersecurity practices and policies of Regulated Institutions. The results of these surveys are detailed in three reports concerning, respectively, the banking sector, the insurance sector, and management by banking institutions of third party service providers.2 The DFS announced that it was considering new cybersecurity regulations for Regulated Institutions in a November 9, 2015 letter sent to certain federal and state banking, securities and insurance regulators. In the letter, -2- New York Department of Financial Services Issues Proposed Cybersecurity Regulations September 19, 2016 the DFS described its main areas of focus for cybersecurity regulation and invited the addressed federal and state regulators to work with the DFS to develop a comprehensive cybersecurity framework.3 In a March 2016 Consent Order, the DFS concluded that a lead-generating business for payday loans misrepresented the safety and security of the personal information provided by consumers and for the first time required a company to apply consumer data security measures to its future collection of consumers’ personal information.4
The Proposed Regulations generally require Regulated Institutions to establish and maintain a cybersecurity program, implement and maintain a written cybersecurity policy, designate a qualified individual to serve as Chief Information Security Officer (“CISO”), and adhere to certain reporting, notification, and certification requirements.
A. CYBERSECURITY PROGRAM
Under the Proposed Regulations, Regulated Institutions are required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity, and availability of their information systems. The “core functions” of the program consist of: (i) identification of internal and external risks by, at a minimum, identifying and evaluating the sensitivity of and permitted access to nonpublic information stored on the Regulated Institution’s information systems; (ii) use of defensive infrastructure and implementation of policies and procedures to safeguard the Regulated Institution’s information systems and nonpublic information stored therein; (iii) detection of, response to, and recovery from cybersecurity events; and (iv) fulfilment of all regulatory reporting obligations. The Proposed Regulations set out a number of features Regulated Institutions must include in their cybersecurity program. These include:
- Limited Access Privileges. Regulated Institutions must periodically review access privileges and restrict access to information systems that contain nonpublic information to only those persons who require access to perform their jobs.
- Multi-Factor Authentication. Regulated Institutions must require multi-factor authentication—that is, authentication using at least two different types of authentication factors, such as a password, token or biometric characteristic—for access to internal systems or data from an external network and for privileged access to database servers that allow access to nonpublic information. Regulated Institutions must also require risk-based authentication—a method of authentication that requires additional verification of identity when deviations from a user’s normal use patterns are detected—and support multi-factor authentication for individuals accessing web applications that capture, display, or interface with nonpublic information, such as online banking or insurance portals.
- Encryption. Regulated Institutions are required to encrypt all nonpublic information that they hold or transmit, both in transit and at rest. Recognizing that such encryption might be unfeasible at the moment, the Proposed Regulations provide a grace period of one year for in-transit encryption and five years for at-rest encryption from the date the regulation -3- New York Department of Financial Services Issues Proposed Cybersecurity Regulations September 19, 2016 becomes effective, during which Regulated Institutions may secure nonpublic information using alternative compensating controls approved by the CISO.
- Maintaining Audit Trail Systems. Regulated Institutions must maintain “audit trail” systems to track and safely store certain information necessary to identify and respond to cybersecurity events. Among other things, the “audit trail” systems must track and maintain data that permits the complete and accurate reconstruction of all financial records and accounting needed to detect and respond to a cybersecurity event; track and log access to critical systems; protect the stored audit trail data from alteration or tampering; protect the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions and maintaining access logs; and log system events including, at a minimum, access and alterations made to the audit trail systems and all system administrator functions. Records produced as part of the audit trail must be maintained for at least six years.
- Quarterly Vulnerability Assessments and Annual Penetration Testing. Regulated Institutions must, at a minimum, perform quarterly vulnerability assessments of their information systems and conduct annual penetration testing during which accessors attempt to circumvent or defeat the security features of the institution’s information systems.
B. WRITTEN POLICIES AND PROCEDURES
A Regulated Institution must also implement and maintain a written cybersecurity policy setting forth policies and procedures for protection of its information systems and nonpublic information stored therein.5 The cybersecurity policy must be reviewed by the board of directors or equivalent body and approved by an appropriate senior officer. The Proposed Regulations set out a number of areas that must be covered by the cybersecurity policies and procedures:
- Risk Assessments. Regulated Institutions must establish written policies and procedures for annual risk assessments of their information systems. These policies and procedures must include, at a minimum, criteria for evaluating and categorizing identified risks; criteria for assessing the information systems’ confidentiality, integrity and availability, including the adequacy of existing controls in light of identified risks; and requirements for documenting how identified risks will be mitigated or accepted, justifying such decisions, and assigning accountability for the identified risks.
- Third Party Assessments. Regulated Institutions must implement policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third parties doing business with the Regulated Institution. Such policies and procedures would need to address, among other things, minimum cybersecurity practices required to be met by third parties to do business with the Regulated Institution and “preferred provisions” to be included in contracts, including representations and warranties concerning the integrity of the vendor’s products or services, use of safeguards such as encryption of data at rest and in transit and multi-factor authentication, prompt notice in the event of a cybersecurity incident, and audit rights.
- Incident Response Plan. Regulated Institutions are required to establish a written incident response plan designed to promptly respond to, and recover from, cybersecurity incidents. Among other topics, such incident response plans must address external and internal communications and information sharing; the definition of clear roles, responsibilities, and levels of decision-making authority; and remediation of any identified weaknesses in information systems and controls. -4- New York Department of Financial Services Issues Proposed Cybersecurity Regulations September 19, 2016
- Application Development. Regulated Institutions must adopt procedures, guidelines and standards for internal development of applications and for testing the security of externally developed applications.
- Timely Destruction of Nonpublic Information. Unless otherwise required by law or regulation, Regulated Institutions are required to destroy certain nonpublic information no longer necessary for the provision of the products or services for which the information was provided.
- Activity Monitoring. Regulated Institutions must implement risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access to, use of, or tampering with nonpublic information by authorized users.
C. CHIEF INFORMATION SECURITY OFFICER AND CYBERSECURITY PERSONNEL
Each Regulated Institution must designate a qualified individual to serve as CISO and be responsible for overseeing and implementing the entity’s cybersecurity program and enforcing the cybersecurity policy, although the Proposed Regulations do not discuss requisite qualifications for the position. The Regulated Institution must also employ cybersecurity personnel sufficient to manage the cybersecurity risks and perform the core functions of the cybersecurity program. Notably, the functions of CISO and cybersecurity personnel may be contracted out to a third party provider, as long as the Regulated Institution maintains responsibility for compliance with the Proposed Regulations, designates a senior member of its personnel as responsible for oversight of the service provider, and requires the service provider to maintain a cybersecurity program that complies with the Proposed Regulations.
D. REPORTING, NOTIFICATION AND CERTIFICATION REQUIREMENTS
The CISO must prepare a report, at least bi-annually, to be presented to the board of directors or equivalent body of the Regulated Institution or, if no such body exists, to an appropriate senior officer. This report, which must be made available to New York’s Superintendent of Financial Services (the “Superintendent”) upon request, must address the confidentiality, integrity, and availability of the information systems; detail exceptions to the cybersecurity policies and procedures; identify cyber risks; assess the effectiveness of the cybersecurity program; propose steps to remediate any inadequacies; and include a summary of all material cybersecurity events that affected the Regulated Institution during the time period covered by the report. The Regulated Institution must notify the Superintendent of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the Regulated Institution or that affects nonpublic information. The notification must be made as promptly as possible, but in no event later than 72 hours after the Regulated Institution becomes aware of the cybersecurity event. Cybersecurity events that may trigger a notification obligation include any event of which notice is provided to any government or selfregulatory agency and any cybersecurity event involving the actual or potential unauthorized tampering with, access to, or use of nonpublic information. -5- New York Department of Financial Services Issues Proposed Cybersecurity Regulations September 19, 2016 Starting January 15, 2018 and annually thereafter, Regulated Institutions must submit a written statement to the Superintendent certifying compliance with the regulations. The statement must include any material risks of imminent harm to the Regulated Institution’s cybersecurity program identified throughout the year. Regulated Institutions must also document the identification of, and remedial efforts with respect to, areas, systems, or processes that require material improvement, updating, or redesign. The Proposed Regulations provide an exemption from some of their requirements to Regulated Institutions with (a) fewer than 1,000 customers in each of the last three calendar years; (b) less than $5,000,000 in gross annual revenues in each of the last three fiscal years; and (c) less than $10,000,000 in year-end total assets, including assets of affiliates. The Proposed Regulations are subject to a 45-day notice and public comment period and are expected to go into effect on January 1, 2017. Regulated Institutions will generally have 180 days from the effective date to bring themselves into compliance.
The Proposed Regulations are a departure from the less prescriptive assessment tools, guidance, and frameworks proffered by other U.S. regulators to date. The Proposed Regulations would not, however, appear to contravene, in most instances, the guidance previously issued by others, including the Federal Financial Institutions Examination Council’s Assessment Tool, and other commonly-used cybersecurity resources, like the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework. Although a number of the measures prescribed by the Proposed Regulations reflect current practices among Regulated Institutions, many of these practices will need to be modified or supplemented to ensure both compliance with the Proposed Regulations and that such compliance can be demonstrated effectively. Further, the reports stemming from the DFS’s industry surveys suggest that, if the Proposed Regulations are implemented, a fair number of Regulated Institutions will have to make additional meaningful changes to their cybersecurity practices. These changes include:
- The designation of a Chief Information Security Officer. Only 64% of financial institutions surveyed by the DFS reported having a dedicated information security executive, and of those executives, only 25% report directly to the board of directors. Eighty-one percent of insurers surveyed reported having such a dedicated executive. As noted above, the Proposed Regulations would permit Regulated Institutions to meet the CISO requirement using third party service providers, subject to certain conditions. This option should afford greater flexibility to smaller Regulated Institutions for whom hiring a full-time CISO may be impractical.
- The establishment of incident response plans that address, among other things, postincident communications. 83% of surveyed financial institutions with assets exceeding $10 billion, 65% of surveyed financial institutions with assets below $10 billion, and 88% of surveyed insurers reported having a communication plan for addressing stakeholders that may be affected by a cybersecurity breach. -6- New York Department of Financial Services Issues Proposed Cybersecurity Regulations September 19, 2016
- The use or support of multi-factor authentication in certain circumstances. Although 93% of surveyed financial institutions with assets exceeding $10 billion and over 80% of surveyed insurers deployed smartcards and other one-time password tokens commonly used in a multi-factor authentication process, only 76% of financial institutions with assets between $1 billion and $10 billion and 52% of financial institutions with assets below $1 billion did the same. Moreover, only 70% of financial institutions surveyed required multi-factor authentication for at least some third party vendors to access sensitive data or systems.
- Enhanced oversight of and controls applicable to third party service providers. Only 80% of financial institutions with assets exceeding $1 billion and 62% of institutions with assets below $1 billion conducted compliance audits of third parties that handle personal data of customers and employees. A meaningful percentage of surveyed banking institutions did not require contracts with third party vendors to include certain cybersecurity protections, such as representations that the vendors have established minimum information security requirements (21%), the right to audit (21%), a warranty of the integrity of the vendor’s data or products (i.e., that the data and products are free of viruses) (44%), and a duty for the vendor to notify the institution in the event of an information security or other cybersecurity breach (30%).
- Encryption of data in transit and at rest. Although the vast majority of financial institutions surveyed and all insurers surveyed encrypted data in transit, a much smaller percentage (38% of financial institutions surveyed) also reported encrypting data at rest.
Of the cybersecurity best practices flagged in the DFS’s survey reports, notably absent from the Proposed Regulations are any requirement (a) to ensure that information security requirements are extended to subcontractors of third party vendors or (b) to conduct pre-contract or periodic on-site assessments of high-risk third party vendors. Also noteworthy is the new requirement that the chairperson of the Board of Directors or an appropriate senior officer of the Regulated Institution certify annually to the DFS that, to the best of the Board’s or the officer’s knowledge, as the case may be, and based upon a review of relevant documentation and consultation with appropriate parties, the Regulated Institution’s cybersecurity program complies with the Proposed Regulations. Given regulators’ increasing focus on pursuing individuals for alleged corporate misdeeds, as evidenced by the annual certification requirement recently adopted by the DFS in the context of Bank Secrecy Act/Anti-Money Laundering programs, such certification may expose individuals to liability in the event the Regulated Institution’s cybersecurity program is determined to be deficient. Regulated Institutions should review the Proposed Regulations and evaluate their own cybersecurity policies, procedures, and programs against the Proposed Regulations’ requirements. Some Regulated Institutions may also wish to participate in the 45-day notice and public comment period, whether directly or through industry associations.