New York Department of Financial Services (DFS) issued proposed regulations on September 13, 2016 regarding cybersecurity requirements for Covered Entities. The Proposed Regulation applies to any entity that (1) obtains an individual's financial information in connection with a financial transaction or product, personal health information, or information sufficient to identify the individual (collectively, “NPI”); and (2) operates under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or financial services law. Covered Entities include banks, credit unions, money transmitters, insurance companies, trust companies, domestic branches of foreign banks and mortgage lenders.
The Proposed Regulation sets minimum standards for creation of a cybersecurity program (“Cybersecurity Program”). A Cybersecurity Program must: (1) identify internal and external cybersecurity risks to NPI stored on the Covered Entity’s network; (2) use defensive infrastructure (e.g., firewalls, encryption, anti-virus software) and implement policies and procedures to protect information systems; (3) detect Cyber Events; (4) respond to Cyber Events to contain/mitigate damage; (5) recover from negative Cyber Events; and (6) fulfill regulatory reporting obligations.
The information presented is intended to be a starting point for development of a Cybersecurity Program. It is a summary and does not cover all aspects of a Cybersecurity Program. Each Covered Entity has unique risks and should develop a Cybersecurity Program tailored to its risk profile.
Policies and Procedures. Covered Entities must have policies and procedures that cover:
1. Information security;
2. Data governance and classification;
3. Access controls and identity management;
4. Business continuity and disaster recovery planning and resources;
5. Capacity and performance planning;
6. Systems operations and availability concerns;
7. Systems and networks security;
8. Systems and network monitoring;
9. Systems an application development and quality assurance;
10. Physical security and environmental controls;
11. Customer data privacy;
12. Vendor and third-party service provider management;
13. Risk assessment; and
14. Incident response.
Who is responsible? The board of directors, or a senior officer if the Covered Entity does not have a board, is responsible for the Covered Entity’s Cybersecurity Program. The board or the senior officer must review the Covered Entity’s Cybersecurity Program at least annually.
Appointment of a Client Information Security Officer (“CISO”). Each Covered Entity must appoint or designate a CISO to oversee the Cybersecurity Program and enforce cybersecurity policies. The CISO role may be outsourced, but the board or senior officer remains responsible for the Covered Entity’s Cybersecurity Program.
The CISO must make a bi-annual report to the board of directors regarding threats or vulnerabilities to the network. The report must include: the confidentiality and integrity of the Covered Entity’s information systems, its policies and procedures, the cybersecurity risks, the effectiveness of the Covered Entity’s Cybersecurity Program, the incident response and remediation plans to potential Cyber Events, and a summary of any Cyber Events during the relevant period. Furthermore, the CISO must conduct penetration testing annually to identify vulnerabilities to the Covered Entity’s network security systems, and must conduct vulnerability testing at least quarterly.
The CISO's findings must be transmitted to the Superintendent of DFS upon request.
Access Control. Covered Entities must limit access privileges to information systems solely to individuals who require the information. A best practice is to limit permission to authorized users only to the level of information required for the user to perform his or her responsibilities. IT professionals should regularly review each authorized user’s access to ensure the user’s access needs matches his or her role. Covered Entities must implement controls to monitor the activity of authorized users to detect unauthorized tampering with NPI.
Audit Trail. A Covered Entity’s Cybersecurity Program must contain a process to track and accurately re-create financial transactions and accounting records and to detect and respond to Cyber Events. Proper logs must be maintained to ensure whether only authorized users access critical systems, that the system’s hardware is protected from tampering, and that data is not tampered or altered. The document retention requirement is six years.
Third Party Vendors. A Covered Entity that conducts business with a third-party vendor with access to NPI must, at a minimum, have a protocol to assess the risk associated with the vendor, set minimum cybersecurity standards that the vendor must meet to do business with the Covered Entity, evaluate the adequacy of the vendor’s cybersecurity practices prior to entering into a business relationship, and conduct periodic assessments to ensure that the vendor’s cyber hygiene is robust.
The vendor’s cybersecurity program must have features such as, encryption of NPI in transit and at rest and multifactor authentication procedures to limit exposure of NPI. Contracts between the Covered Entity and the vendor must contain representations and warranties that the vendor’s service or product does have mechanisms that would impair the Covered Entity’s system, notice provisions regarding cyber incidents at the vendor, audit requirements to ensure compliance with the Covered Entity’s standards, and identity protection services so that the vendor assumes responsibility for cyber incidents.
Personnel, Training and Monitoring. Covered Entities must employ personnel capable of managing its Cybersecurity Program and personnel must remain abreast of developments in cybersecurity. The Cybersecurity Program must also develop a protocol to train employees regarding cybersecurity risks and share information internally and externally.
Incident Response Plan. The incident response plan must, at a minimum, contain information that addresses the following areas:
1. The internal processes for responding to a cyber event;
2. The goals of the incident response plan;
3. Clear roles and responsibility and decision-making authority when is Cyber Event occurs;
4. A communication plan both internally and externally;
5. Processes to quarantine and remediate after a negative Cyber Event and processes to identify weaknesses in information systems and associated controls;
6. Documentation and reporting of Cyber Events to regulators, law-enforcement, and other stakeholders; and
7. Process to debrief and evaluate the incident response plan following a Cyber Event.
Notice Provisions. A Covered Entity must notify the Superintendent of DFS no later than 72 hours after learning of a cyber incident. The Covered Entity must submit a certification of compliance to DFS on or before January 15 annually. Sarbanes-Oxley’s procedures for certifying the accuracy of financial information in a Covered Entity’s annual report may be a useful protocol.
The document retention period for all records, schedules, and data supporting the compliance certificate is five years.
Exemptions. The Proposed Regulation exempts: (i) a Covered Entity with fewer than 1,000 customers in each of the last three calendar years, (ii) revenues of less than $5 million in each of the last three fiscal years, and (iii) assets at year-end that total less than $10 million (including affiliates). The Covered Entity has 180 days to become compliant if it ceases to qualify for the exemption.
Effective Date. The Proposed Regulation will become effective on January 1, 2017, and DFS will use its authority under applicable laws to enforce the cyber security regulations.