October 5, 2016

New York State Department of Financial Services Proposes Far-Reaching Cybersecurity Rules

The New York State Department of Financial Services (the DFS) has issued a proposed regulation that would impose cybersecurity-related requirements on entities it supervises. In some cases, these requirements would go beyond existing requirements.

The proposed regulation would apply to entities operating or required to operate under a license, registration or other authorization under the New York Banking Law, Insurance Law or Financial Services Law. These covered entities include:

  • New York state chartered banks,
  • New York licensed branches and agencies of foreign banks,
  • insurance companies,
  • money transmitters,
  • licensed lenders, and
  • mortgage lenders and servicers.

Certain small entities would be exempt from some but not all of the requirements of the proposed regulation.

If adopted, the proposed regulation would require covered entities to adopt a written cybersecurity program and implement various safeguards to protect nonpublic information, as broadly defined in the proposal. Covered entities would have to annually certify to the DFS their compliance with the proposed regulation.

The proposal is subject to a 45-day public comment period, which will end on November 14, 2016.

Broader than Existing Guidance

As currently drafted, the proposed regulation is more prescriptive and goes beyond the requirements imposed by the federal banking regulators on the depository institutions they supervise. For example, guidance provided by the Federal Financial Institutions Examination Council in its September 2016 Examination Handbook suggests that financial institutions should implement the type and level of encryption that is commensurate with the sensitivity of information being protected, but does not mandate that all nonpublic information be encrypted while in transit and at rest as the DFS has proposed. The DFS proposal also appears to require multi-factor authentication in a broader range of circumstances than the guidance provided by federal regulators to depository institutions, which is focused on online banking. Similarly, the federal banking regulators require financial institutions to provide notice of information security breaches involving unauthorized access to or use of sensitive customer information but do not mandate notification within 72 hours of any cybersecurity event, which the DFS proposal would require.

Written Cybersecurity Program and Policies

Each covered entity’s cybersecurity program would need to be designed to ensure the confidentiality, integrity and availability of the covered entity’s information systems and to perform the following functions:

  • Identify internal and external threats;
  • Employ defensive infrastructure and implementation of policies and procedures to protect the covered entity’s information systems and its confidential information from unauthorized access, use or other malicious acts;
  • Detect cybersecurity events, which the proposal defines as any act or attempt (whether or not successful) to gain unauthorized access to, disrupt or misuse an information system or any information stored on such a system;
  • Mitigate negative effects of cybersecurity events, recover from such events and restore normal operations; and
  • Fulfill any regulatory reporting requirements.

Covered entities would also need to implement and maintain a more specific written cybersecurity policy setting forth procedures to protect information systems and nonpublic information. The policy would need to address certain minimum requirements described in the proposed regulation and would need to be approved by a senior officer and reviewed by the entity’s board of directors at least annually.

Chief Information Security Officer

Each covered entity would be required to designate a qualified individual as the covered entity’s Chief Information Security Officer (CISO). The CISO would be responsible for implementing the covered entity’s cybersecurity program and ensuring compliance with the proposed rule, if adopted. A covered entity could engage a third-party service provider to fulfill the CISO’s responsibilities, but the covered entity would ultimately remain responsible for compliance with the regulation and would need to designate a senior officer as being responsible for overseeing the third party. The covered entity would also need to require the third party to maintain its own cybersecurity program that meets the requirements of the proposed regulation.

At least twice a year, the CISO would need to report to the covered entity’s board of directors on the covered entity’s cybersecurity program. Among other matters, the report would need to address the confidentiality, integrity and availability of the covered entity’s information systems, identify exceptions to cybersecurity policies and procedures, identify cyber-risks, assess the effectiveness of the cybersecurity program, propose any necessary remedial measures, and summarize any cybersecurity events during the period covered by the report.

Other Requirements

The proposed regulation would also require covered entities to implement certain additional measures, including:

  • Limiting access privileges to information systems that provide access to nonpublic information solely to those individuals who require such access to perform their responsibilities;
  • Creating and implementing an audit trail system to track and log all privileged authorized user access to critical systems;
  • Performing penetration testing at least annually and vulnerability assessments at least quarterly;
  • Implementing written procedures, guidelines and standards designed to ensure secure development practices for in-house developed applications as well as assessing and testing externally developed applications;
  • Conducting a cybersecurity risk assessment at least annually;
  • Employing personnel to manage the covered entity’s cybersecurity risks and perform the functions required by the proposed regulation, and providing regular training sessions for such personnel;
  • Requiring multi-factor authentication for any individual accessing the covered entity’s internal systems or data from an external network or for any privileged access to database servers that allow access to nonpublic information;
  • Requiring risk-based authentication to access web applications that capture, display or interface with nonpublic information;
  • Destroying nonpublic information that is no longer necessary for the provision of the products or services for which such information was provided (except where such information is required to be retained by law or regulation);
  • Requiring all personnel to attend regular cybersecurity awareness training;
  • Establishing a cybersecurity incident response plan that meets certain minimum requirements; and
  • Notifying the DFS of any cybersecurity event that may affect the normal operation of the covered entity or that affects nonpublic information as promptly as possible but in no event later than 72 hours following the event.

The proposed regulation would also require covered entities to encrypt all nonpublic information held or transmitted by the covered entity, both in transit and at rest. However, if such encryption is not currently feasible, the proposal would allow covered entities up to one year to comply with the encryption requirement so long as they implement compensating controls in the meantime.

Third-Party Information Security Policy

Covered entities would also be required to implement policies and procedures designed to ensure the security of information systems and nonpublic information accessible to or held by third parties doing business with the covered entity, which means that certain requirements of the proposed rule would apply to service providers to New York banks and other covered entities. In particular, a covered entity’s third-party information security policy would need to address, to the extent applicable, the use of multi-factor authentication to limit access to sensitive systems and nonpublic information, the use of encryption to protect nonpublic information in transit and at rest, prompt notice of cybersecurity events affecting the service provider, the ability of the covered entity to conduct cybersecurity audits and other matters.