As federal regulators continue to update existing cybersecurity guidance1 and consider new rules governing banks’ cybersecurity practices,2 the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, proposed to establish cybersecurity requirements that go beyond those at the federal level.
On September 13, 2016, the DFS issued a proposal3 that would require banks, insurance companies, and other DFS-regulated entities to establish a cybersecurity program and comply with related requirements. Although these institutions are already subject to cybersecurity requirements at both the federal and state levels, the proposal, which the DFS describes as a “first-in-the-nation” regulation, would establish a more prescriptive framework than any existing regulation.
In a statement accompanying the proposal, DFS Superintendent Maria Vullo argued that the new requirements contain the “flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs.”4
Below are some takeaways from the proposal, as well as a quick description of next steps to consider.
For detailed information on the proposed requirements, please click here.
In November 2015, then-Acting Superintendent Anthony Albanese issued a memo to federal and state financial regulators—including the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency—alerting them of potential new DFS cybersecurity regulations. Nearly all of the topics described in the memo were included in the proposal.
Key proposed requirements
Although many covered entities may already have cybersecurity programs in place, the DFS proposal would require new actions, such as the appointment of a Chief Information Security Officer (CISO) and the submission of an annual certification to the DFS regarding compliance with the regulation.
Fundamentally, covered entities would be required to establish a cybersecurity program designed to identify internal and external cyber risks, protect the institution’s information systems, and detect and respond to all cybersecurity events.
The DFS proposal sets forth a detailed description of the components of a written cybersecurity policy, which all covered entities would be required to adopt. The policy would be subject to review by each entity’s board of directors and approval by a senior officer.
Chief Information Security Officer
Each covered entity would be required to designate a qualified individual to serve as its CISO, responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. Importantly, the CISO would be required to report to the entity’s board of directors at least twice a year to provide an assessment of its information systems.
Certification requirement and notices to the DFS
Under the proposal, beginning on January 15, 2018, each covered entity would be required to submit an annual certification to the Superintendent of the DFS regarding compliance with the cybersecurity requirements. In a statement accompanying the proposal, DFS Superintendent Vullo emphasized that, through the certification, institutions will be “held accountable” for meeting these requirements.
In addition, covered entities would be required to notify the DFS Superintendent of any cybersecurity event (i.e., any act of attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system) that has a “reasonable likelihood of materially affecting the normal operations” of the entity. The notification would be required within 72 hours of the institution becoming aware of the event.
New prescriptive requirements for information systems
In addition to the annual certification requirement, the proposal would establish a number of other specific information systems-related requirements that go beyond those at the federal level, including:
The proposal would also require covered entities to implement written policies and procedures designed to ensure the security information systems and nonpublic information accessible to, or held by, third parties. Covered entities would be required to assess these policies annually.
The proposed regulation is subject to a public comment period that ends 45 days after the proposal is published in the New York State Register.
The proposal would establish a January 1, 2017 effective date and a six-month transitional period for covered entities to comply (i.e., a July 1, 2017 compliance date). However, the effective date and compliance date may change in the final version of the regulation.
Covered entities should analyze the proposal and consider the impact on their organization.
As further developments occur, Deloitte Advisory will issue additional updates as appropriate.
1See Letter from Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation to Rep. Carolyn Maloney (D-NY), (August 17, 2016), available here.