The New York State Department of Financial Services (NYDFS) has set forth a proposed cybersecurity regulation for financial service companies. Announced this week by New York Governor Andrew M. Cuomo, the proposed rule seeks to protect both consumer data and financial systems from terrorist organizations and other criminal enterprises.
The proposed regulation would apply to all financial institutions licensed or regulated (or required to be licensed or regulated) by the NYDFS, including:
- Insurance companies
- Trust companies
- Branch, agency and representative offices of foreign banks
- Money transmitters
- Credit unions
- Mortgage and other licensed lenders and loan brokers
The NYFDS proposal is far more prescriptive than comparable existing guidance from the Federal Financial Institutions Examination Council (FFIEC). In addition, it contains an extraordinarily short breach notice deadline of 72 hours. Finally, the regulation could prove to be a step toward a patchwork of conflicting state-by-state regulation.
Under the proposed regulation, covered entities would be required to:
- Establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of the institution’s information systems. Specifically, the regulation requires entities to identify internal and external cyber risks by identifying and classifying nonpublic information by sensitivity and appropriate level of access; policies and procedures designed to defend the institution’s infrastructure against unauthorized access or malicious acts; detect, respond to, and recover from cybersecurity events; and fulfill all regulatory reporting obligations.
- Adopt a cybersecurity policy, reviewed by the board of directors and approved by a senior officer. The cybersecurity policy shall address, at a minimum, the following areas:
(1) information security
(2) data governance and classification
(3) access controls and identity management
(4) business continuity and disaster recovery planning and resources
(5) capacity and performance planning
(6) systems operations and availability concerns
(7) systems and network security
(8) systems and network monitoring
(9) systems and application development and quality assurance
(10) physical security and environmental controls
(11) customer data privacy
(12) vendor and third-party service provider management
(13) risk assessment and
(14) incident response.
- Designate a Chief Information Security Officer with responsibility to oversee and implement the cybersecurity program. The proposed regulation requires the CISO to report, at least biannually, to the board of directors regarding the confidentiality, integrity and availability of information systems, appropriate exceptions to cybersecurity policies and procedures, identification of cyber-risks, assessment regarding the effectiveness of the cybersecurity program, proposed steps to remediate any inadequacies identified. Additionally, the CISO is required to include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
- Conduct penetration testing and vulnerability assessments on an annual basis (for penetration testing) and at least quarterly (for vulnerability assessments).
- Implement audit trails to track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the entity to detect and respond to a cybersecurity event. Additionally, such audit trails should permit the ability to track and maintain data logging of all privileged access to critical systems; protect the integrity of audit trails from alteration or tampering; protect the integrity of hardware from alteration or tampering; log system events, including access and alterations made to the audit trail systems; and maintain such audit trail records for at least six years.
- Ensure security of third-party service providers through identification and risk assessment. The proposed regulation does not include any specific requirements for third parties, but does mandate due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties within the entity’s cybersecurity policy.
- Comply with the 72-hour notification requirement for any cybersecurity event of which notice is provided to any government or self-regulatory agency; or any cybersecurity event involving the actual or potential unauthorized tampering with, or access to or use of, nonpublic information.
Additional requirements include the use of multi-factor authentication for any individual accessing the entity’s internal systems or data from an external network or privileged access to database servers that allow access to nonpublic information; timely destruction of any nonpublic information that is no longer necessary for the provision of the products or services for which such information was provided; regular cybersecurity awareness training; encryption of all nonpublic information held or transmitted; and a written incident response plan to respond to, and recover from, any cybersecurity event.
The proposed regulation would take effect, if finalized, on January 1, 2017, with an additional 180-day transitional period for covered institutions to come into compliance. Final implementation of the proposed regulation is subject to a 45-day notice and public comment period, with comments due by October 28, 2016. DLA Piper’s Cybersecurity practice has extensive experience with cyber and information security regulatory proceedings and, with support from the firm’s financial services and insurance regulatory practices, would be happy to assist clients in filing comments.
Learn more about the implications of the proposed regulation by contacting Jim Halpert.
*Michael Schearer is a law clerk in DLA Piper’s Technology Transactions and Strategic Sourcing group, based in Washington, DC.