On September 13, 2016, Governor Andrew Cuomo announced the issuance of proposed “first-in-the-nation” cybersecurity regulations for entities regulated by the New York Department of Financial Services (DFS), including jurisdictional banks, insurance companies, and other financial institutions. The proposed regulation will be subject to a 45-day comment period prior to being issued as a final rule. Once finalized, the regulation would become effective on January 1, 2017, at which point a 180 day “transitional period” would go into effect, during which entities would need to come into compliance with the new requirements. Many financial institutions are already subject to cybersecurity regulation pursuant to the Gramm-Leach-Bliley Act (such as via the Interagency Guidelines Establishing Information Security Standards), however the proposed rules are highly detailed and more prescriptive in a number of respects.
In addition to certain “expected” requirements such as the establishment of a cybersecurity program and the implementation of a cybersecurity policy, the proposed regulations would require jurisdictional financial institutions to comply with a number of detailed (and potentially onerous) requirements that are described at length in the 19 page text of the proposed rule. Some of the more notable requirements in the proposed regulation include:
- Conducting penetration tests at least annually and vulnerability assessments at least quarterly.
- Developing written procedures, guidelines, and standards to ensure the use of secure development practices for in-house developed applications, as well as for testing the security of third-party applications.
- Employing cybersecurity personnel sufficient to manage cybersecurity risks and perform core functions, and ensuring such personnel receive regular training and that they stay abreast of changing cybersecurity threats and countermeasures.
- Implementing written policies and procedures designed to ensure the security of information systems and nonpublic information (as defined) accessible to or held by third parties, which policies and procedures must meet certain minimum requirements.
- In addition, entities must establish “preferred provisions to be included in contracts with third party service providers,” including, among other things, provisions that address, “to the extent applicable,” the use of multi-factor authentication to limit access to nonpublic information, encryption of such data at rest and in transit, and the provision of identity protection services to customers “materially impacted by a Cybersecurity Event that results from the third party service provider’s negligence or willful misconduct.”
- Using multi-factor authentication for remote access to internal systems or data, as well as in certain other specified circumstances in which nonpublic information is accessed.
- Encryption of nonpublic information (as defined) at rest and in transit. If such encryption is “currently infeasible,” the entity may implement “appropriate alternative compensating controls” reviewed and approved by the CISO, which may only be used in lieu of the requisite encryption for five years.
- Notifying the superintendent of the DFS of any “Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information” no later than 72 hours after becoming aware of the incident. The rule further states that this includes events “of which notice is provided to any government or self-regulatory agency” and those “involving the actual or potential unauthorized tampering with, or access to or use of Nonpublic Information.”
- A “Cybersecurity Event” is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”
- Annually certifying compliance with the proposed regulation and maintaining for examination all records, schedules, and data supporting the certification for five years.
The proposed regulation will apply to “Covered Entities,” which are defined as any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.” According to DFS’ website, it supervises “nearly 1,900 banking and other financial institutions with assets of more than $2.9 trillion” and “all insurance companies that do business in New York,” which includes “nearly 1,700 insurance companies with assets exceeding $4.2 trillion.”
Although the financial services industry is generally regarded as highly mature with regard to cybersecurity in relation to many other industries, the level of detail in the DFS proposed rule is potentially unprecedented. Accordingly, financial institutions in New York should begin to analyze the requirements of the proposed rule as early as possible in anticipation of the applicability of the regulation in 2017.