On Sept. 13, the New York State Department of Financial Services (“DFS”) published its proposed new regulation “Cybersecurity Requirements for Financial Services Companies.” The regulation was first announced in a statement from Governor Cuomo’s office. Prompted by recent cyberattacks on DFS-regulated entities and the “ever-growing threat posed to information and financial systems,” the DFS proposal requires covered entities — including state-chartered banks, insurance companies, and mortgage brokers, originators and servicers — to adopt a cybersecurity program designed to support the safety and soundness of the financial services industry. The baseline requirements for the proposed cybersecurity regulation build upon those previously outlined by DFS in a November 2015 letter to other federal and state regulators, as reported in a Nov. 13, 2015 Kramer Levin Alert.
If adopted, the proposed regulation would create a two-tiered compliance structure in which larger financial services companies face additional cybersecurity requirements. Many of these new measures are similar to recommended guidance from federal regulatory entities such as the Federal Financial Institutions Examination Council. While some financial services companies with extensive existing cybersecurity policies and programs may be well-positioned to comply with these minimum standards, others may be required to significantly expand their cybersecurity efforts.
The proposed regulation covers any individual or entity operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance and financial services laws.
Cybersecurity Minimum Standards in the Proposed Regulation
All Covered Entities, regardless of size, would be required to undertake the following actions under the minimum standards enumerated in the proposed regulation:
- Implement a cybersecurity program, including the “core cybersecurity functions” of risk identification; defensive infrastructure; detection of, response to and recovery from Cybersecurity Events (generally, data breaches or attempted breaches and other unauthorized uses of data); and fulfillment of reporting obligations.
- Implement a cybersecurity policy covering 14 areas, to be approved at the highest levels of the Covered Entity.
- Restrict access to sensitive Nonpublic Information (as defined in the regulation).
- Complete a risk assessment, on an annual or more frequent basis.
- Create a third-party information security policy requiring due diligence on third parties that have access to a Covered Entity’s Information Systems or Nonpublic Information, and including preferred provisions to be incorporated into third-party contracts.
- Ensure limitations on data retention, including timely destruction of Nonpublic Information when retention is no longer necessary.
- Notify the Superintendent of Financial Services within 72 hours of a Cybersecurity Event (for a Cybersecurity Event that has a reasonable likelihood of materially affecting normal operations or affecting Nonpublic Information).
- Certify to the Superintendent the Covered Entity’s compliance with the regulation annually beginning Jan. 15, 2018.
Covered Entities of a certain size face additional cybersecurity mandates because they do not meet the criteria for the “Limited Exemption,” outlined in Section 500.18 of the regulation. Under this exemption, a Covered Entity with fewer than 1,000 “customers” in each of the past three years, less than $5 million in gross annual revenue for the past three fiscal years, and less than $10 million in year-end total GAAP assets (including assets of affiliates) would be relieved of the obligation to comply with the additional minimum standards outlined below. Larger financial services companies that do not meet these criteria must also:
- Designate a Chief Information Security Officer (“CISO”), responsible for overseeing and reporting on compliance with the entity’s cybersecurity program and policy (note that the regulation contemplates that this may be accomplished through the use of third-party service providers).
- Conduct annual penetration testing (in which assessors attempt to circumvent or defeat security features) and quarterly vulnerability assessments.
- Implement audit trail systems that track and maintain data so as to allow for a complete and accurate reconstruction of all financial transactions and accounting.
- Create procedures to ensure secure development practices for applications developed in-house and conduct an annual review to ensure its effectiveness.
- Employ cybersecurity personnel sufficient to perform the “core cybersecurity functions” enumerated in Section 500.02 of the regulation and discussed in the previous bulleted section.
- Implement multifactor authentication in certain areas (requiring verification through a password and real-time generated PIN, for example).
- Monitor the activity of Authorized Users of Information Systems and detect unauthorized access of Nonpublic Information.
- Provide cybersecurity awareness training to personnel.
- Encrypt certain Nonpublic Information (at rest and in transit), with a phase-in period for these requirements to the extent encryption is “currently infeasible.”
- Create an incident response plan, including protocols for external and internal communications and information-sharing concerning Cybersecurity Events.
Implications of the Proposed Regulation
According to the DFS, the proposed regulation is the result of significant research, including a survey of more than 200 banks and insurance companies that would be subject to the new provisions. This survey revealed that many firms have already implemented cybersecurity programs. Those financial services companies that have done so may already be in compliance with many of the regulation’s provisions, while other firms may soon need to enhance their cybersecurity efforts. To the extent that the proposed regulation generates criticism or opposition, would-be regulated entities will have the opportunity to register their concerns during the 45-day notice and public comment period that will commence following the publication of the proposed regulation in the New York State register on Sept. 28, 2016.
As proposed, the regulation will become effective on Jan. 1, 2017, initiating a 180-day transition period, during which time Covered Entities must bring themselves into compliance. The full text of the proposed regulation can be accessed here.