Earlier this month, the New York State Department of Financial Services (“DFS”) announced proposed cybersecurity regulations for financial institutions. This proposal is, according to Governor Cuomo, a “new first-in-the-nation regulation” that is designed to protect financial institutions and their consumers.
The proposed regulations are not a surprise. Late last year, the DFS announced its intention to issue cybersecurity rules. That announcement came after the DFS surveyed nearly 200 banking and insurance institutions and issued three reports to help inform the rulemaking process. The regulations also come on the heels of similar rules by federal regulators.
The proposed cybersecurity regulations are sweeping in both those their scope and in their requirements. The rules cover any sizable entity “operating under” a “license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” And the requirements are substantial. For example, the proposed regulations include provisions on the following:
• Cybersecurity Programs: The program must “identify internal and external cybersecurity threats,” use “defensive infrastructure,” and detect and respond to cybersecurity events.
• Cybersecurity Policy: The policy must address, among other issues, “information security,” “business continuity and disaster recover planning,” and “vendor and third-party service provider management.”
• Chief Information Security Officer: Each covered entity must designate a “Chief Information Security Officer” to oversee and enforce the cybersecurity program and policy. That officer must issue, at least bi-annually, a cybersecurity report to the board of directors.
• Testing and Assessments: Covered entities must conduct penetration testing annually and vulnerability testing quarterly.
• Audit Trails: Covered entities must “track and maintain data” in order to reconstruct all financial transactions in the event of a breach, to log all electronic access of critical systems, and to monitor alterations made to an audit trail. This information must be maintained for at least six years.
• Risk Assessment: Covered entities must conduct an annual risk assessment of their information systems.
• Cybersecurity Personnel: Covered entities must “employ cybersecurity personnel” to manage cyber risks and perform core functions.
And there are a number of other proposed rules—ranging from encryption requirements to training and monitoring obligations.
As we had expected, the DFS also focused on third-party vendor relationships. Covered entities must implement policies to ensure the security of information systems and private information accessible by third-party vendors. Third-party vendors must meet minimum cybersecurity practices, and covered entities must identify any risk posed by their vendors and review—at least annually—the adequacy of vendors’ cybersecurity practices. The regulations also require covered entities to “include in contracts” with third parties provisions requiring multi-factor authentication, proper encryption, and prompt notice in the event of a breach. And a contracting third party must agree to provide “identity protection services” in the event of a breach from that third party’s “negligence or willful misconduct.”
The regulations also include mandatory reporting requirements. Covered entities must inform the DFS of any cybersecurity event that “has a reasonable likelihood” of impacting the entity’s “normal operation” or any nonpublic information. Companies must also annually certify compliance with the regulations, and “maintain for examination . . . all records, scheduling and data supporting” the certification.
These regulations are subject to a 45-day notice and public comment period. We will continue to monitor and report on the rulemaking process.