The Empire (State) Strikes Back: Six Highlights of New York’s New Cybersecurity regulations for Financial Institutions
By Saad Gul and Michael E. Slipsky
The New York Department of Financial Services (NYDFS)’s finalized Cybersecurity Requirements for Financial Services Companies
(“regulations”), went into effect on March 1, 2017. NYDFS has provided a 6 month safe harbor to enable institutions to become compliant: initial compliance is expected by September 2017.
We have previously addressed the New York regulations here
. While certain key aspects of cybersecurity, such as those involving Blockchain technology,
are not implicated (though other regulations
try to accomplish that), these regulations impact virtually every bank, insurer and financial entity (“covered entities”) regulated by NYDFS.
We cover six highlights of the newly effective regulations below.
Reporting: Perhaps the most controversial and fiercely contested issue is the regulations’ imposition of a 72-hour deadline for reporting cybersecurity events to state regulators. Financial institutions and the financial press have savaged this deadline as draconian. Indeed, our own experience indicates that 72 hours is barely sufficient for a company to make an initial evaluation of a cybersecurity event, much less to make an informed report to regulators.
However, the 72-hour deadline corresponds to a similar provision in the European Union’s new General Data Protection Regulation (GDPR), which goes into effect in May 2018. Given the significant overlapping relationships between New York and European banks and the corresponding need to comply with GDPR, the 72-hour benchmark may be a foregone conclusion in any event.
Chief Information Security Officer (CISO): Banks and other covered entities are required to designate a “qualified individual” to enforce cybersecurity policies. The regulations do not prescribe the required qualifications for the individual. But they must be commensurate with the CISO’s regulatory obligations. At a minimum, the CISO has responsibility for compliance, monitoring third-party vendors, and making annual reports to the covered entity’s Board of Directors on cybersecurity issues.
The objective is to ensure that the executive leadership apparatus includes an individual with the knowledge and institutional capital to articulate information security concerns at the highest level. This is the American counterpart to the Data Protection Officer (DPO) in the GDPR; DPOs are supposed to play a similar role in protecting privacy.
Testing: Covered entities are required to conduct periodic stress-testing to evaluate the effectiveness of their cybersecurity programs. The regulations contemplate that this process be conducted continuously, or at least on a periodic basis. It entails both penetration testing and vulnerability assessments to enable the covered entity to identify weaknesses in cyber defenses. Banks and other covered entities might contract with outside “white hat” hackers to probe their defenses; deficiencies identified must be promptly addressed. The entire process is then repeated. NYDFS has indicated that it will audit documentation to ensure that the stress-testing process is implemented with the necessary vigor.
Access Control: In our experience, the majority of cyber incidents can be attributed to human action, whether malicious or inadvertent. The regulations address these concerns by mandating that each covered entity limit access to computer systems that provide access to sensitive data to those employees whose jobs functions necessitate such access. The covered entity is required to periodically reevaluate each employee to determine whether access is still warranted.
Training and Monitoring: The regulations also address insider threats by mandating a combination of training and monitoring. Covered entities are required to provide regular cybersecurity awareness training for all personnel. The level of training must correspond to the risks and vulnerabilities identified by the CISO.
In addition, the covered entity must have policies, procedures and controls that monitor the activities of authorized users. These policies must be capable of detecting unauthorized access, utilization, or modification of sensitive data.
Incident Response Plan: Each covered entity must have a written incident response plan outlining the process for responding to a cybersecurity event that may affect the confidentiality of data (e.g., a breach) or continuing business operation (e.g., ransomware or denial of service attacks). The plan must outline internal procedures, objectives, benchmarks, lines of responsibility, information sharing (internal and external) and remediation procedures. The plan must be evaluated and revised in the wake of each cybersecurity event.
These six points are only the highlights of the regulations. Once fully implemented, the regulations cover a wide range of issues from multi-factor authentication to encryption of PII ro the appropriate disposal of nonpublic information.
As of February 15, 2018, covered entities must furnish NYDFS a certificate of compliance with the new regulations. The regulations set specific benchmarks for consumer privacy and institutional cybersecurity in the financial sector. There has been criticism that the regulations will result in an institutional focus on compliance rather than security. However, in our view, this criticism in misplaced.
The prospect of federally mandated benchmarks seems remote. In their absence, competing recommendations from a variety of institutions—ranging from NIST to NAIC to the European Union—will jostle to become the uniform standard. Since standards will inevitably compete and evolve in this regulatory mélange, New York, being the heart of the American financial system and a place where jostling is practically a sport, is as good a place as any to start from.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.