This past Friday, March 1, 2019, marked the second anniversary and final effective date of the New York Department of Financial Services (DFS)’s cybersecurity regulation.[i] Since its enactment, regulated institutions,[ii] subject to limited exemptions,[iii] have had to implement and maintain “robust” cybersecurity programs and file annual certifications with DFS attesting to their compliance. As set forth in more detail below, the mandated programs must contain core policies and procedures governing cybersecurity, involve risk assessments, and ensure oversight for company operations, employees, and third-party service providers. The cybersecurity regulation also requires regulated institutions to report qualifying cybersecurity events within 72 hours.
As of December 2018, DFS has received approximately 1,000 notices of cybersecurity events, with a “significant number” involving breaches stemming from credential-stealing email schemes. As a result of this activity, in a memorandum to the CEOs of regulated institutions, DFS has emphasized that institutions “make sure all persons who can access a company’s systems have the proper protections and are using the appropriate protections,” have “strong access controls and training,” and “embrace opportunities to improve and advance their cybersecurity readiness and systems.”[iv] DFS has further underscored “the importance of full compliance” with multi-factor authentication, “strong access controls and encryption for data in transit and at rest,” and “ongoing training.”[v]
DFS CYBERSECURITY REGULATION REQUIREMENTS
Regulated institutions, subject to limited exemptions, must implement, maintain, and annually certify to DFS that they have “robust” cybersecurity programs protecting the confidentiality, integrity, and availability of their information systems, including:
- a written policy, approved by the board of directors or a senior officer, setting forth the policies and procedures for protecting information systems and stored nonpublic information;
- a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event;
- periodic, documented risk assessments of information systems, in accordance with written policies and procedures, updated as reasonably necessary to address changes to information systems, nonpublic information, or business operations;
- continuous monitoring or annual penetration testing and bi-annual vulnerability assessments;
- a qualified Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program and enforcing cybersecurity, who submits written reports, at least annually, to the board of directors or a senior officer;
- secure systems that can sufficiently reconstruct material financial transactions (to the extent applicable and based on the institution’s risk assessment);
- secure systems that generate audit trails designed to detect and respond to cybersecurity events (to the extent applicable and based on the institution’s risk assessment);
- data retention and secure destruction policies and procedures, in accordance with defined recordkeeping timetables;
- limited user access privileges to information systems that provide access to nonpublic information, with periodic review of those access privileges (based on the institution’s risk assessment);
- written procedures, guidelines, and standards governing internally and externally developed applications, which are to be periodically reviewed;
- written policies and procedures governing information systems and nonpublic information accessed or held by third-party service providers (based on the institution’s risk assessment);
- qualified cybersecurity personnel and intelligence;
- ongoing training and monitoring for all authorized users; and
- effective controls, which may include multi-factor authentication, risk-based authentication, encryption, and effective alternative compensating controls (based on the institution’s risk assessment).[vi]
WHAT COMES NEXT?
What can DFS-regulated institutions expect going forward? Now that the cybersecurity regulation is effective, and DFS has in its hands two years’ worth of incident notices and certification information, regulated institutions can reasonably expect continuing, rigorous oversight and enforcement of non-compliance. DFS will likely use all of its powers of supervision (including yearly provision of licenses to operate in New York) and/or examination of regulated institutions to ensure compliance with the cybersecurity regulation. The fact that regulated institutions have fully complied to date does not keep them in safe waters in perpetuity. As the regulations and DFS’s own public statements reinforce, institutions must be continually vigilant in assessing their cybersecurity risk and maintaining (and documenting) appropriate programs and steps to address that risk in a “robust fashion.”[vii] Concerning consequences for non-compliance, the text of the cybersecurity regulation does not detail how penalties and fines may be calculated or assessed. During the public comment period, DFS responded to requests for additional details as to such enforcement mechanisms by saying only that the existing language was “sufficient.” Enforcement actions under the cybersecurity regulation could stem from the general authority of DFS under the New York Banking Law, which allows for penalties for violations as high as $2,500 per day during which a violation continues, $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, and $75,000 per day in the event of a knowing and willful violation.[viii] Given DFS’s clearly expressed intent to move regulated institutions to compliance, and the potentially significant penalties at DFS’s disposal, regulated institutions should make every effort to ensure compliance with the cybersecurity regulation’s numerous obligations.