Hoping to provide greater clarity to financial institutions subject to its new cybersecurity requirements, New York’s Department of Financial Services (DFS) published a Frequently Asked Questions (FAQ) document to assist those institutions as the Aug. 8, 2017, compliance deadline looms.
The “Cybersecurity Requirements for Financial Services Companies” are first-in-the-nation regulations for banks, insurance companies and other financial services institutions under DFS jurisdiction. Generally, the regulations require covered entities to assess their specific risk profile and design a program that will “ensure the confidentiality, integrity and availability” of the entity’s information systems and “nonpublic information,” including any business-related information, information provided to a covered entity, healthcare information and personally identifiable information.
In addition, covered entities must establish a written cybersecurity policy covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls to the designation of a chief information security officer (CISO), with that officer or another member of senior management obligated to file an annual certification with the DFS that confirms compliance with the regulations.
However, questions remained about the new regulations, particularly as the Aug. 28 compliance deadline loomed. The DFS responded with a FAQ document, noting that “the Department may revise or update the below information from time to time, as appropriate.”
Simply, the FAQs further explain the requirement that covered entities report an unsuccessful cyber attack that has or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” DFS recognized that covered entities are “regularly” subject to many attempts to gain unauthorized access to, disrupt or misuse their information systems, and that many of these attempts are thwarted by the covered entities’ cybersecurity programs.
Even though, as the FAQs noted, most unsuccessful attacks will not be reportable, “Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces.” Considerations might include whether handling the attack required measures or resources well beyond those ordinarily used by the covered entity, the regulator suggested, such as the adoption of extraordinary nonroutine precautionary steps or exceptional attention by senior personnel.
“The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs,” the DFS wrote. “Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department.”
The FAQs also make clear that covered entities are also required to give notice to the DFS when a cybersecurity event involves harm to consumers, as the regulations should be read in conjunction with other state law and regulations that apply to consumer privacy. “To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach,” DFS noted. If the data breach constitutes a cybersecurity event as defined by the regulations, then it must also be reported to the DFS.
Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with the cybersecurity regulations? Yes, the FAQs stated New York branches of out-of-state domestic banks “are required to comply with New York state law, and DFS maintains the right to examine branches located in New York.”
The guidance also sought to clarify what constitutes “continuous monitoring” for purposes of the regulations, explaining that it can be attained “through a variety of technical and procedural tools, controls, and systems.”
“There is no specific technology that is required to be used in order to have an effective continuous monitoring program,” the FAQs added. “Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity’s Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute ‘effective continuous monitoring’ for purposes of” the regulations.
With the compliance deadline fast approaching, DFS stated that it “expects full compliance” with the regulations and that a covered entity may not submit a certification unless it is in compliance with all applicable requirements at the time of certification.
To read the FAQs, click here.
Why it matters
Covered entities would be well served to read the FAQs as the first compliance deadline for the DFS’s new cybersecurity regulations approaches. Among other things, the guidance provides an explanation for what constitutes “continuous monitoring” and emphasizes that the reporting requirement of unsuccessful attacks is intended to facilitate information sharing regarding serious events, as the DFS does not intend to penalize covered entities for the exercise of “honest, good faith judgment.”