Cyber-crime and identity theft pose an ever-increasing threat to the consumers of financial products and services. To confront this threat, New York’s Governor Andrew Cuomo recently announced a cybersecurity regulation for New York’s financial services sector which takes effect today. The regulation will require financial institutions to implement robust controls to detect, thwart, and report cyber-incidents.
Given the national reach of many New York financial institutions, the impact of the new regulation will be felt far beyond the state of New York and will likely become the baseline standard for the industry. Almost any entity that operates under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking, insurance, and financial services laws of New York is covered by the regulation. There are few exemptions (see below).
Generally speaking, the regulation requires banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (“NYDFS”) to establish and maintain cybersecurity programs designed to protect consumers’ private data and ensure industry safety. The regulation includes certain regulatory minimum standards and encourages firms to keep pace with technological advances.
More specifically, the regulation requires covered entities to:
- Conduct periodic risk assessments
- Maintain a cybersecurity program based on the risk assessment
- Adopt written cybersecurity policies
- Comply with governance and staffing requirements – including appointment of a Chief Information Security Officer by August 2017
- Monitor or conduct penetration testing and vulnerability assessments
- Maintain transaction and server logs
- Limit user access privileges
- Maintain application security written procedures, guidelines, and standards
- Install a vendor risk-management program, policies, and procedures
- Use multi-factor authentication or risk-based authentication
- Destroy nonpublic information periodically and securely
- Implement controls, including encryption or compensating controls
- Establish a written incident-response plan
- Provide regular cybersecurity awareness training
- Notify NYDDFS of any breaches within 72 hours.
Although the regulation takes effect today, it includes transition periods of between one and two years for most requirements. Even with the staggered compliance dates, however, full compliance with such an expansive regulation will be challenging.
Some persons or entities will be exempt from most of the requirements of the regulation - except for conducting a risk assessment; implementing written policies and procedures to secure nonpublic information that is accessible to, or held by, third party services providers; and establishing policies and procedures for the secure disposal of nonpublic information. Among the exempted are “small covered entities,” “designees covered by another covered entity,” “entities that do not possess or handle nonpublic information,” and “captive insurance companies.” Even exempted covered entities must still file a certificate of exemption with NYDFS within 30 days.
NYDFS announced the initial proposed rules in September 2016. After industry complaints and a public hearing, revised rules were issued in December 2016. Another period of public comment period closed in late January 2017.