After surveying nearly 200 of its regulated banking and insurance companies for industry insight, the New York Department of Financial Services (the “NYDFS”) proposed a first-ever, cybersecurity regulation, on September 13, 2016, to protect against the growing threat of cyber-attacks. This cybersecurity regulation applies to financial institutions regulated by the NYDFS (“Covered Entity”), which include banks—some of the largest foreign global banks such as HSBC, Standard Chartered and BNP Paribas—insurance companies and other regulated financial services companies. As the first regulator to issue cybersecurity guidelines, the NYDFS may have set the standard for other regulators, at the state or federal level, or even globally.
The Covered Entity must establish a cybersecurity program and policies to ensure the confidentiality, integrity and availability of its information systems and nonpublic information. A Chief Information Security Officer (“CISO”) must be designated who is responsible for implementing, overseeing and enforcing the program and policies. The cybersecurity policy must be written, approved by a senior officer and, at a minimum, address specific enumerated areas, such as system and information security, customer data privacy, and vendor and third-party service provider management. At least annually, the board of directors is required to review the policy. The CISO must develop reports, biannually, for the board of directors and the Superintendent, if requested.
There is a certification requirement that the Covered Entity is in compliance with this regulation from the board of directors or a senior officer. This certification must be submitted annually to the Superintendent by January 15. All records, schedules and data supporting this certification must be maintained for five years and available for examination by the NYDFS.
Incidence Response Plan
As part of the cybersecurity program, the Covered Entity must establish an incidence response plan to respond to or recover from a cybersecurity breach or attempted breach. If there is such an incident, which is likely to affect normal operations or non-public information, the Covered Entity must notify the Superintendent within 72 hours. Finally, if the Covered Entity has identified “any material risk of imminent harm relating to its cybersecurity program,” the Superintendent must be notified within 72 hours, and such material risks must be included in the annual certification report.
Cybersecurity Program Minimum Requirements
Minimum requirements for the cybersecurity program include encryption and timely destruction of non-public information, general personnel training and monitoring of authorized users, annual penetration testing, quarterly vulnerability assessments, audit trail systems and limited information access. Furthermore, the program must provide written procedures, guidelines and standards to ensure the security of both internally and externally developed applications, which the CISO must review, assess and update annually. Risk assessments are required on at least an annual basis. Qualified personnel must be in place to manage the risks and core cybersecurity functions. They have to attend regular cybersecurity updates and training sessions. Additionally, key cybersecurity personnel must take steps to stay abreast of the ever-changing cybersecurity threats and countermeasures. Alternatively, a Covered Entity may utilize a qualified third party to meet this requirement.
Third-Party Information Security Policy
A written third-party information security policy is also required to ensure the security of information systems and non-public information that are accessible or held by third parties doing business with a Covered Entity. A required due diligence process will evaluate the third party’s cybersecurity practices and ongoing assessments will determine the continued adequacy of such practices. Third-party service provider contracts, at a minimum, must include provisions for multi-factor authentication, encryption of non-public information, prompt notice of a cybersecurity breach or attempted breach and the right to perform cybersecurity audits. The third parties must provide representations and warranties that the services or products provided are free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s information systems or non-public information.
Multi-Factor Authentication must be utilized by Covered Entities for any individual accessing its internal systems or data from an external network. Multi-factor authentication is also required for certain access to nonpublic information.
The regulation will be subject to a 45-day notice and public comment period before final adoption. If and when approved, Covered Entities have 180 days from the effective date to comply, unless otherwise specified. There are limited exceptions for smaller Covered Entities.