On 1 March 2017 the New York Department of Financial Services’ “Cybersecurity Requirements for Financial Services Companies“ (“CRFSC“) came into effect.
The CRFSC marks the first set of regulations applying to DFS-authorised firms that is specifically aimed at cyber-security. It is also an unusually detailed and comprehensive set of cybersecurity regulations applicable to regulated financial services firms across the world and may indicate the direction of cybersecurity regulation by other national regulators in the financial services sector (in particular, the FCA) in the future.
The CRFSC sets out minimum standards for cybersecurity, which must be applied by each “Covered Entity” (authorised banks, insurers and other financial services providers above a certain size threshold).
The CRFSC is intentionally designed to not be “overly prescriptive”. Covered Entities must first assess the cyber-security risks they face and then apply appropriate protections that reflect those risks. That being said, the CRFSC also provides relatively detailed and specific minimum requirements for the systems, controls and processes that Covered Entities must to put in place in certain areas.
Covered Entities are required to assess the risks the business faces and implement a comprehensive cybersecurity programme that reflects the degree risks.
As part of this programme, Covered Entities are required to implement and maintain cybersecurity policies to cover each aspect of the firm’s cyber security policy (the CRFSC outlines 14 suggested areas).
The CRFSC also places far greater emphasis on a firm’s response to cybersecurity events – reflecting the wider shift in focus to responding to and remedying cyber breaches across this area as a whole. Covered Entities are required to put in place a formal written incident response plan for dealing with actual or potential cybersecurity events. An effective breach response plan, which is regularly tested, is crucial to responding well to cybersecurity events.
The CRFSC also lays down a set of core technical protections that Covered Entities will be expected to apply. It is not an exhaustive list and, given how quickly the risks in this area develop, nor should it be. However, it does set out some well-established technical protections that businesses should be employing as a matter of routine, including:
- Encryption of information (if possible, both at storage and in transit).
- Multi-factor authentication when accessing a network remotely (involving an (at least) two stage verification process when accessing the network).
- Annual penetration testing and bi-annual vulnerability testing (as a minimum) of the firm’s information systems.
- Access restrictions on non-public information, to be reviewed regularly.
- Audit records, breach detection and data recovery systems.
The CRFSC requires that cybersecurity is treated as a senior management / board level issue:
- Cybersecurity policies need to be signed off by the board or a member of senior management.
- Each Covered Entity must appoint a designated Chief Information Security Officer responsible for its cybersecurity programme and enforcing the cyber security policy.
- Covered Entities must use qualified cybersecurity personnel to manage its cybersecurity risks and ensure that these personnel are properly trained on an ongoing basis.
- Covered Entities must also ensure that their workforce as whole (insofar as they have access to its networks) are trained, updated and monitored on the firm’s cybersecurity policies and risks.
Covered Entities have 180 days to comply with the CRFSC (by 28 August 2017). In reality, many of the measures sets out under the CRFSC will (or, at least, should) already be in place with the majority of covered firms. However, the CRFSC marks a minimum level of cybersecurity as a regulatory requirement and many firms will have to ensure that they adopt a far more formal, documented and routinized approach to their cybersecurity going forward.
From a practical perspective, authorised firms in other jurisdictions (such as the UK) should strongly consider adopting a CRFSC compliant approach in their own businesses. Not only will this benefit the business as a whole through better protective, responsive and remedial cybersecurity capabilities, it may also give it a head-start if / when potentially similar regulatory frameworks are introduced in their own jurisdictions.
It is also clear from the tone of the CRFSC and related communications from the CRFSC that financial institutions will not be viewed as the ‘victims’ of cyber-attacks. The extent to which this was the case anyway is debatable, but the direction of travel is very much that while a financial institution which is the subject of a cyber-attack is a victim of crime in a technical sense, such organisations must take appropriate steps to protect the data of which they are custodians. Playing the ‘victim’ card will get very short shrift from regulators if the institution did not have appropriate systems and controls in place at the relevant time.