On December 28, 2016, the New York Department of Financial Services (the “NYDFS”) reproposed its much anticipated cybersecurity regulation substantially in the same form as originally proposed (the “Proposed Rule”). If adopted, the Proposed Rule will implement a framework of “minimum standard” requirements for financial services companies’ cybersecurity programs.
On September 13, 2016, the NYDFS proposed a “first-of-its-kind” cybersecurity regulation. During the proposal’s 45-day comment period, which ended on November 14, 2016, the NYDFS received a substantial number of comments from industry participants.
On December 28, 2016, the NYDFS restated its belief that the Proposed Rule was in the best interest of the consumer and reissued the Proposed Rule substantially in the same form as originally proposed. The reissued Proposed Rule will be subject to an additional final 30-day comment period to consider any new comments that were not previously raised in the original comment process.
Generally, only Covered Entities must comply with the Proposed Rule. A “Covered Entity” is defined as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under (a) the banking law, (b) the insurance law or (c) the financial services law in New York.
To clarify, the Proposed Rule would not impose any new requirements on federally-chartered institutions; however, it would affect state-chartered banks operating branches inside New York (e.g., a New Jersey state-chartered bank operating a branch in New York).
The Proposed Rule exempts Covered Entities with: (a) fewer than 1,000 customers in each of the last three calendar years; (b) less than $5 million in gross annual revenue in each of the last three fiscal years; and (c) less than $10 million in year-end total assets. According to the Federal Deposit Insurance Corporation’s public data and statistics, only one nonmember state bank fits this exemption criteria.
What does the Proposed Rule require?
The Proposed Rule requires Covered Entities to:
1. Establish a Cybersecurity Program. Each financial institution must establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems.
2. Adopt a Cybersecurity Policy. Adopt a written cybersecurity policy, setting forth policies and procedures addressing the following:
(a) information security;
(b) data governance and classification;
(c) access controls and identity management;
(d) business continuity and disaster recovery planning and resources;
(e) capacity and performance planning;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and third-party service provider management;
(m) risk assessment; and
(n) incident response.
3. Designate a Chief Information Security Officer. For the first time, a regulated financial institution will be required to designate a qualified individual to serve as Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the institution’s cybersecurity program.
A third party service provider may fulfill this role, but the institution will (a) remain responsible for compliance of its cybersecurity program and (b) be required to designate a senior member of the institution’s personnel to oversee the service provider.
The CISO will be required to report, at least biannually, to the institution’s board.
4. Oversee Third Party Service Providers. A regulated financial institution must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties. These policies and procedures must include the following:
(a) identification and risk assessment of third parties with access to such information systems or such nonpublic information;
(b) minimum cybersecurity practices required to be met by such third parties;
(c) due diligence processes used to evaluate the adequacy of cybersecurity practices of third parties; and
(d) periodic assessment, at least annually, of third parties for the purpose of assuring the continued adequacy of their cybersecurity practices.
5. Implement Incident Response Plans / 72-Hour Notice Requirement. Each financial institution will be required to establish a written incident response plan, which must address, at a minimum, the following:
(a) the internal processes for responding to a cyber event;
(b) the goals of the incident response plan;
(c) the definition of clear roles, responsibilities and levels of decision-making authority;
(d) external and internal communications and information sharing;
(e) remediation of any identified weaknesses in the institution’s systems and controls;
(f) documentation and reporting of a cyber event; and
(g) the evaluation and revision of the incident response plan following a cyber event.
In addition, the Proposed Rule would require a financial institution to provide notice to the NYDFS as promptly as possible, but in no event later than 72 hours, after the entity becomes aware of any event (i) of which notice is provided to any government or self-regulatory agency or (ii) involving the actual or potential unauthorized tampering with, or access to or use of, nonpublic information. It is noteworthy that the Proposed Rule has no corresponding requirement to notify customers.
6. Train Employees. A Covered Entity’s personnel will be required to attend regular cybersecurity training that is specific to the risks of the institution.
7. Bolster Cybersecurity Protections. In addition, to periodic internal and external cyber risk assessments and audits, Covered Entities will also be required to adopt the following:
(a) Multi-factor Authentication. Multi-factor authentication will be required for individuals (i) accessing internal systems or data from an external network (i.e., remote access), (ii) who have privileged access or (iii) who may access web applications that interface with nonpublic information. Multi-factor authentication would also apply to customers’ access to online banking.
(b) Encryption. A financial institution will be required to encrypt all nonpublic information for both in-transit and at-rest nonpublic information.
8. Additional Requirements. In addition to the foregoing, a financial institution’s cybersecurity program will be required to include the following:
(a) annual penetration testing and vulnerability;
(b) an audit trail system to reconstruct transactions and log access privileges
(c) periodic reviews of access privileges
(d) annual reviews and updates (as necessary) to written application security procedures, guidelines and standards;
(e) annual risk assessment of the confidentiality, integrity and availability of information systems; adequacy of controls; and mitigation or acceptance of identified risks;
(f) employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures; and
(g) timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
How will the Proposed Rule impact financial institutions?
The Proposed Rule represents the most comprehensive cybersecurity regulation to date in the United States. The high-level significance of the Proposed Rule is four-fold.
1. Regulatory Shift. The Proposed Rule represents a shift from the current state and federal regulatory approach to cybersecurity, which generally is aspirational — not mandatory. Federal regulation has emphasized a “risk-based” approach in that each financial institution should adopt a cybersecurity system commensurate with the size, complexity and individual risk-profile of the financial institution. The NYDFS approach is emphasizing certain specified minimum standards for all.
2. Increased Costs. In mandating specific comprehensive cybersecurity protections, the NYDFS approach will likely place a substantial cost burden on all financial institutions. As smaller financial institutions are less likely to have in place systems that would be compliant with the Proposed Rule, there is a strong likelihood of cybersecurity becoming one of the larger operational expenses.
- Chief Information Security Officer. One feature of the Proposed Rule that is of particular note is that each institution “designate” a CISO to lead and manage an institution’s cybersecurity program. Just as the position of compliance officers have become specially trained and credentialed experts over time, the position of CISO is expected to follow suit. As CISOs become better trained and recognized, financial institutions can expect that these positions will become a significant fixed cost in each institution’s operational budget.
Third Party Service Providers. Under the Proposed Rule, financial institutions will be required to demand that any third party service provider with access to the covered entities’ information system or nonpublic information agree to adopt comparable cybersecurity policies. A smaller financial institution that utilizes service providers may find that its service provider needs to up their game to achieve compliance with the Proposed Rule. Ultimately, these providers can be expected to pass these costs along to the financial institutions.
3. Dual Regulation. The Proposed Rule does not affect any prior issued guidance from the federal banking regulators concerning: (a) third party service provider risk management; (b) best practice and cybersecurity recommendations; or (c) incident response programs. Thus, while certain elements of the Proposed Rule differ from federal regulations, a financial institution that is ultimately subject to the Proposed Rule will be required to treat any discrepancy as an additional layer of compliance. Below are two specific examples of how the Proposed Rule is likely to be reconciled with federal regulations.
- Multi-Factor Authentication and Encryption. The Proposed Rule requires financial institutions to implement multi-factor authentication (e.g., requiring the consumer to provide something the consumer has and something the consumer knows) for all internal and external networks, both employee and customer facing, where such network system provides access to nonpublic information. Further, a financial institution will be required to encrypt all nonpublic information for both in transit and at rest nonpublic information. This is a significant break with the federal regulators, as no such requirement has ever been imposed as a standard. In comparison, the federal regulatory approach has been to impose requirements based upon the size, complexity and individual risks of the financial institution.
While the Proposed Rule requires both encryption and multi-factor authentication, a financial institution cannot rely on its compliance with these NYDFS-imposed features. Financial institutions will still be required by the federal regulators to assess and adopt proper cybersecurity programs commensurate with its size, complexity and identified risks. Consequently, this inconsistency will require each financial institution to assess and audit its compliance under both the NYDFS and federal regulatory approach.
- 72-Hour Notice Requirement. In addition, the Proposed Rule would require a financial institution to notify the NYDFS “as promptly as possible, but in no event later than 72 hours,” after it becomes aware of an event that involves the “actual or potential” unauthorized tampering with, or access to or use of, nonpublic information. This time frame is significantly more aggressive than the federal regulatory requirements. In contrast, federal banking regulations provide more flexibility in requiring financial institutions to provide “prompt notification” to the appropriate regulator when it becomes “aware” of a data incident.
While it appears to have some inconsistency, the reality is clear. If a financial institution becomes aware of a potential data incident/breach, it may make a reasonable determination as to what is “prompt notification,” to a federal regulator. The NYDFS, however, is removing a financial institution’s ability to determine what is “prompt” notification to the NYDFS. Consequently, a financial institution will be required to comply with both the federal and state cyber regulatory apparatus.
4. The Snowball Effect. As one of the preeminent financial service regulators in the country, the NYDFS’s actions may serve as a catalyst causing other state regulators to impose similar requirements in their states.
When will the Proposed Rule become effective?
The Proposed Rule’s effective date was delayed from January 1, 2017 to March 1, 2017. However, financial institutions covered by the Proposed Rule will have 180 days, or until September 1, 2017, to comply with the new requirements. Further, the NYDFS did not change the date of when Covered Entities would have to submit a certificate of compliance to the NYDFS, indicating that it was complying with terms of the cybersecurity protections, of February 15, 2018.
In sum, the Proposed Rule’s consequences are likely to be far-reaching. Financial institutions would be wise to review all regulatory developments in cybersecurity and continually reassess their cybersecurity programs for regulatory compliance.
To view the Proposed Rule, click here.