New York State proposes new cybersecurity regulation for financial institutions

As federal regulators continue to update existing cybersecurity guidance1 and consider new rules governing banks’ cybersecurity practices,2 the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, proposed to establish cybersecurity requirements that go beyond those at the federal level.

On September 13, 2016, the DFS issued a proposal3 that would require banks, insurance companies, and other DFS-regulated entities to establish a cybersecurity program and comply with related requirements. Although these institutions are already subject to cybersecurity requirements at both the federal and state levels, the proposal, which the DFS describes as a “first-in-the-nation” regulation, would establish a more prescriptive framework than any existing regulation.

In a statement accompanying the proposal, DFS Superintendent Maria Vullo argued that the new requirements contain the “flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs.”4

Below are some takeaways from the proposal, as well as a quick description of next steps to consider.

For detailed information on the proposed requirements, please click here.

Background
The DFS has been focused on cybersecurity issues for the last three years, conducting a survey of nearly 200 regulated entities on industry practices and emerging trends and producing three reports on its findings in 2014 and 2015.

In November 2015, then-Acting Superintendent Anthony Albanese issued a memo to federal and state financial regulators—including the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency—alerting them of potential new DFS cybersecurity regulations. Nearly all of the topics described in the memo were included in the proposal.

Key proposed requirements

Although many covered entities may already have cybersecurity programs in place, the DFS proposal would require new actions, such as the appointment of a Chief Information Security Officer (CISO) and the submission of an annual certification to the DFS regarding compliance with the regulation.

Cybersecurity Program

Fundamentally, covered entities would be required to establish a cybersecurity program designed to identify internal and external cyber risks, protect the institution’s information systems, and detect and respond to all cybersecurity events.

Written policy

The DFS proposal sets forth a detailed description of the components of a written cybersecurity policy, which all covered entities would be required to adopt. The policy would be subject to review by each entity’s board of directors and approval by a senior officer.

Chief Information Security Officer

Each covered entity would be required to designate a qualified individual to serve as its CISO, responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy.  Importantly, the CISO would be required to report to the entity’s board of directors at least twice a year to provide an assessment of its information systems.

Certification requirement and notices to the DFS

Under the proposal, beginning on January 15, 2018, each covered entity would be required to submit an annual certification to the Superintendent of the DFS regarding compliance with the cybersecurity requirements.  In a statement accompanying the proposal, DFS Superintendent Vullo emphasized that, through the certification, institutions will be “held accountable” for meeting these requirements.

In addition, covered entities would be required to notify the DFS Superintendent of any cybersecurity event (i.e., any act of attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system) that has a “reasonable likelihood of materially affecting the normal operations” of the entity. The notification would be required within 72 hours of the institution becoming aware of the event.

New prescriptive requirements for information systems

In addition to the annual certification requirement, the proposal would establish a number of other specific information systems-related requirements that go beyond those at the federal level, including:

  • An annual risk assessment
  • Annual penetration testing
  • Quarterly vulnerability assessment

The proposal would also require covered entities to implement written policies and procedures designed to ensure the security information systems and nonpublic information accessible to, or held by, third parties.  Covered entities would be required to assess these policies annually.

Next steps

The proposed regulation is subject to a public comment period that ends 45 days after the proposal is published in the New York State Register.

The proposal would establish a January 1, 2017 effective date and a six-month transitional period for covered entities to comply (i.e., a July 1, 2017 compliance date).  However, the effective date and compliance date may change in the final version of the regulation.

Covered entities should analyze the proposal and consider the impact on their organization.

As further developments occur, Deloitte Advisory will issue additional updates as appropriate.

1See Letter from Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation to Rep. Carolyn Maloney (D-NY), (August 17, 2016), available here.
2American Banker, “Regulators Aim for Banks Achilles’ Heel with New Cybersecurity Plan,” (July 22, 2016), available at http://www.americanbanker.com/news/law-regulation/regulators-aim-for-banks-achilles-heel-with-new-cybersecurity-plan-1090353-1.html.  “Individuals familiar with the conversations said regulators are intent on obtaining banks’ input to ensure any plan will be appropriately balanced. The proposal will likely be issued as an advance notice of proposed rulemaking, which will allow regulators more time and multiple iterations to get it right.”
3New York State Department of Financial Services, Proposed, “Cybersecurity Requirements for Financial Services Companies,” 23 NYCRR 500, (September 13, 2016), available at http://dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
4Id.

 

2 thoughts on “New York State proposes new cybersecurity regulation for financial institutions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s