On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook (IT Handbook). However, the Regulations go beyond FFIEC standards in certain ways.
If adopted, New York would also be the first state in the nation to require a prescriptive cybersecurity program for licensed financial institutions. New York banks regulated by federal banking agencies will need to review existing FFIEC cybersecurity programs to confirm such programs comply, but many insurance companies and other financial institutions licensed and regulated by the DFS may be challenged to comply by the proposed January 1, 2017 effective date, even taking into account a 180-day compliance transition period under the Proposed Regulations. The Proposed Regulations target an understandable concern, however, in light of the economic harm caused by cyberattacks, their increasing frequency and sophistication (click here for our post on the recent SWIFT hacks), and New York’s status as a financial center. The Proposed Regulations follow DFS’s February 2015 Report on Cybersecurity in the Insurance Sector which found that 23% of New York insurance companies had been the target of “phishing” or other email scams and DFS’s May 2014 Report on Cybersecurity in the Banking Sector which found that 21% of banks had experienced phishing attacks.
It is almost certain that other states will follow and require financial institutions to adopt cybersecurity programs. In the future, a patchwork of state law may apply depending on how broadly those standards apply to financial institutions doing business in each state. Firms should focus on proactively developing a comprehensive, robust cybersecurity program that can evolve appropriately in order to be well-positioned to comply with any other states that follow DFS’s lead.
Is my firm in-scope?
The Regulation applies to entities licensed, required to be licensed, or subject to other registration under New York banking, insurance or financial services laws (Covered Entities). The Regulations include an exemption that would apply only to a small subset of smaller institutions.
What do the Regulations require?
The Regulations prescribe written policies and procedures and require Covered Entities to adopt cybersecurity programs designed to ensure the safety and soundness of the institution by safeguarding customer “nonpublic information”. The Regulations’ definition of “nonpublic information” is broader than FFIEC’s, so Covered Entities already complying with FFIEC may find the new definition presents a gap that needs to be bridged.
- Establishment of a program
The institution would be required to adopt a formal cybersecurity program around six core functions, which are similar to FFIEC’s five cybersecurity preparedness functions, with the additional requirement to report to DFS specifically.
- Adoption of a cybersecurity policy
Federally regulated banks should have a written cybersecurity policy based on the Office of the Comptroller of the Currency (OCC) Part 30 “safety and soundness” standards, and FFIEC examination guidelines. However, Covered Entities must review cybersecurity policies to confirm that they address the issues required by the Regulations.
- Chief Information Security Officer
The FFIEC IT Handbook describes the role and responsibilities of the Chief Information Security Officer (CISO). The Regulations go beyond the FFIEC guidelines and require Covered Entities to formally designate a CISO. The CISO must report, at least bi-annually, to the board of directors in relation to specified topics. Covered Entities may outsource the CISO function, but remain responsible for CISO requirements.
- Third party service providers
Covered Entities would be required to adopt policies and procedures to ensure the security of information systems and nonpublic information accessible by third parties. The Regulations’ expand upon the OCC’s October 2013 Third Party Risk Management Guidance and the Federal Reserve Board’s December 2013 Guidance on Managing Outsourcing Risk. Covered Entities must include preferred provisions in contracts with third party service providers. It is unclear whether the standards in the Regulations should be added to existing agreements. If not already required, institutions should confirm that the applicable provisions are included in their policies, procedures and agreements with third party service providers.
- Additional requirements
- Testing and assessments – The Proposed Regulations would require penetration tests at least annually and vulnerability assessments at least quarterly. FFIEC guidelines do not prescribe any specific frequency for penetration tests (so-called Pen Tests) or vulnerability assessments. This could present a compliance challenge for community banks and smaller financial institutions, many of which perform vulnerability assessments on an annual basis.
- Audit trail – Track and maintain records, and all data relating to system access, for at least six years.
- Access – Limit privileges to information systems that provide access to nonpublic information solely to those individuals who require such access
- Application security – programs developed in-house must have cybersecurity programs to ensure secure development, and include written policies and procedures assessing and testing application security, which must be reviewed annually by the CISO.
- Risk assessment – Conduct a risk assessment annually and include criteria for identifying and assessing risks.
- Personnel – Employ (or outsource) IT personnel sufficient to manage the institution’s cybersecurity risk.
- Multi-factor authentication – Use multi-factor authentication for any individual accessing the institution’s internal systems or database servers is required. FFIEC encourages multi-factor authentication for mobile financial services, but does not require it for individuals accessing internal systems or servers.
- Limitations of data retention – Implement policies and procedures for the “timely” destruction of nonpublic information that is no longer needed (except where such information is required to be retained). The Regulations do not define “timely”.
- Training – Adopt policies and procedures designed to monitor authorized users’ activities, detect unauthorized use of information systems and require personnel to attend training.
- Encryption – Encrypt all nonpublic information, both in transit and at rest, unless infeasible.
- Incident response plan (IRP) – the Regulations require an IRP similar to FFEIC’s, except that the Regulations do not specifically address any requirements to file SARs or give notice to information sharing organizations; however, they require notification to DFS within 72 hours of becoming aware of a cybersecurity event and delivery of a certification to DFS of compliance with the relevant cybersecurity program annually by January 15.
What is not required?
The Regulations require notice to DFS within 72 hours, but not a necessarily public announcement or notice to an institution’s customers. The Regulations do not require or recommend cybersecurity insurance coverage. The omission of insurance in the Regulations is notable because in December 2014, DFS became the first regulator to include insurance as part of its examination procedures for New York chartered banks.