The New York State Department of Financial Services announced its first state-level regulation for cybersecurity. The proposed regulation would apply to regulated banks, insurance companies, and other financial services institutions and has implications for Canadian organizations doing business with these entities.
On September 13, 2016, the New York State Department of Financial Services (“DFS“) announced a proposed new cybersecurity regulation (the “Regulation”) that will apply to banks, insurance companies, and other financial services institutions regulated by the DFS. The Regulation is intended to protect both the information technology systems of regulated entities and the non-public customer information they hold from the growing threat of cyberattack and cyber-infiltration.
Following a 45-day notice and public comment period, the Regulation will proceed to final issuance and become effective on January 1, 2017, followed by a transition period. The first annual certification (described below) will be due on January 15, 2018.
The Regulation is indicative of a trend towards increased cybersecurity scrutiny of securities and related sectors both globally (see our previous posts here and here) and in Canada (see our previous post here). The Regulation will likely serve as a best practices guidance document even for organizations that are not regulated by the DFS and Canadian regulators are no doubt watching this development closely.
The Regulation’s Requirements
The Regulation requires action in four key areas, summarized below:
- Establishing a cybersecurity Program
- Establishing a cybersecurity Policy
- Designating Chief Information Security Officer
- Reporting and records requirements
1. Establishing a Cybersecurity Program
Covered Entities (meaning any person or entity operating under a license, registration or similar authorization under the banking insurance and financial services laws of the State of New York) will be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s information systems (the “Cybersecurity Program”). The Cybersecurity Program must fulfill the following functions:
(1) identify internal and external cyber risks;
(2) construct defensive infrastructure, policies and procedures to protect the Covered Entity’s information systems;
(3) enable detection, response to, and recovery from cybersecurity events (such as unauthorized access to information systems);
(4) fulfill regulatory reporting obligations.
To enable each Covered Entity to respond flexibly according to its own needs, Covered Entities have been given discretion with respect to the precise format of their Cybersecurity Programs. However, the Regulation requires that all Cybersecurity Programs address the following:
- Penetration Testing and Vulnerability Assessments: annual penetration testing and quarterly assessment of the information system’s vulnerability.
- Audit Trail System: a system that allows complete reconstruction of all financial transactions; detection and response to cybersecurity events; logging of all privileged authorized user access; protection of data and hardware from alteration; logging of system events; and retention of all audit records for six years.
- Access Privileges: need-to-know limitation of access privileges to information systems, with periodic review.
- Application Security: establishment of written procedures to ensure secure development (both in-house and external) of applications.
- Risk Assessment: annual written risk assessment of the Covered Entity’s information systems providing (1) criteria for the evaluation and categorization of risks; (2) criteria for the assessment of the confidentiality, integrity and availability of information systems, including adequacy of existing controls; and (3) description of the risk-mitigation process.
- Personnel and Intelligence: engagement of skilled cybersecurity personnel to enable compliance, along with adequate training
- Multi-Factor Authentication: requires that access to Covered Entities’ information systems shall be done through multi-factor authentication.
- Data Retention: requires the timely destruction of data, except where data retention is required by law.
- Training and Monitoring: Requires the Covered Entity to implement both regular cybersecurity training and systems for monitoring Authorized Users’ activity.
- Encryption: all nonpublic information shall be encrypted at all times.
- Incident Response Plan: Covered Entities should establish a written incident response plan to promptly respond to, and recover from, any cybersecurity event.
- Third Party Information Security Policy: implementing procedures to ensure the security of information systems and information that are accessible to, or held by, third parties doing business with the Covered Entity.
This last requirement is interesting as it potentially impacts Canadian providers to Covered Entities. Such Canadian providers can expect their clients will be putting in procedures in place that identify risks related to third parties; establish cybersecurity standards required to be met by third parties, and conduct annual due diligence evaluations of the adequacy of those third party standards. Such procedures are also to include “implementing preferred contractual provisions for agreements with third parties”, including provisions requiring multi-factor authentication, encryption, notice of a cybersecurity event, identity protection, protection against malware, and audits of the third party service provider by the Covered Entity. As a result, Canadian businesses that are service providers to Covered Entities may wish to get ahead of customer inquiries (or demands) and begin proactively reviewing contracts and formulating their approach to risk tolerance.
2. Establishing a Cybersecurity Policy
Covered Entities are also required to implement and maintain a written cybersecurity policy which will detail the policies and procedures for the protection of the Covered Entity’s information systems. There is nothing surprising about what is required in such Policy, although there is an explicit requirement for the Covered Entity’s board of directors, or equivalent governing body, to review the Cybersecurity Policy as frequently as necessary, and at least once a year.
3. Designating a Chief Information Security Officer
Covered Entities will be required to designate a “qualified” Chief Information Security Officer (“CISO”) responsible for the Covered Entity’s Cybersecurity Program and Cybersecurity Policy (interestingly, the function of CISO can be outsourced to a third party, under certain conditions).
The CISO shall report, at least bi-annually, to the Covered Entity’s board of directors or equivalent governing body, on the following: (1) the confidentiality, integrity and availability of the Covered Entity’s information systems; (2) exceptions to the Cybersecurity Policy; (3) cyber risks to the Covered Entity; (4) effectiveness of the Cybersecurity Program; (5) proposed steps to remediate any inadequacies identified therein; and (6) summary of all material cybersecurity events that affected the Covered Entity during the time period addressed by the report.
4. Reporting and Records Requirements
Covered Entities are required to notify the regulator, as promptly as possible but no later than 72 hours, of any cybersecurity event that may reasonably materially affect the normal operation of such Covered Entity’s information systems or compromise the non-public information it holds.
Covered Entities shall certify annually that the Covered Entity is in compliance with the requirements set forth in the Regulation. All records supporting such certificate must be retained for a period of five years.
Implications for Canadian Business
Are you a third-party vendor of a New York regulated financial institution? The Regulation could affect your business (see above final point under Establishing a Cybersecurity Program).
Section 500.11 of the Regulation mandates significant new due diligence obligations in relation to third party service providers. If you are a third-party vendor (for instance, a payroll, data processing, or software provider) of a regulated New York financial services or insurance institution, then that institution now has the obligation to report any cybersecurity event you may have if it’s likely to affect the Covered Entity’s business. Covered Entities will now also have the obligation to conduct periodic assessments of your internal processes for handling their non-public information, to obtain representations and warranties from you as to the soundness of those processes, and to make contractual provision for all of the above, which may require revisions to your existing contracts.
Canadian businesses should already be thinking about many of these issues, especially in light of the recent amendments to PIPEDA, which should see draft regulations on many similar issues released soon.
Furthermore, while this Regulation is the first of its kind issued by a US state government, organizations having clients in other US jurisdictions should understand that matching or similar regulations are likely not far off.
Similarly, while Canadian regulators in several jurisdictions have issued their own guidance documents with respect to cybersecurity in the financial services sector, New York’s position as the world’s financial capital suggests that the Regulation will watched closely, including by Canadian courts and regulators.