On September 13, 2016, the New York State Department of Financial Services (DFS) released a set of proposed cybersecurity regulations for financial service institutions, including banks, insurance companies, and other financial service institutions regulated by DFS. The regulations will require "Covered Entities" to (1) establish a cybersecurity program; (2) adopt a cybersecurity policy; (3) appoint a Chief Information Security Officer; (4) Conduct third-party due diligence; and (5) Undertake various other related obligations. The regulations are scheduled to go into effect on January 1, 2017, after which Covered Entities will have 180 days to comply. Starting on January 15, 2018, Covered Entities will have to certify annually that they are in compliance with the rules and retain supporting records for five years.
Scope
The proposed regulations define "Covered Entity" as including "any Person operating or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization" to operate under New York banking, insurance, or financial services laws. As a result, the scope of the proposed regulation includes a wide array of institutions, including state-licensed banks, savings banks, insurance companies, private bankers, licensed lenders, mortgage companies, money service businesses, service contract providers and state-licensed offices of non-U.S. banks. The proposed regulations would exclude smaller institutions that have: (1) fewer than 1000 customers in each of the last three calendar years; (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (3) less than $10,000,000 in year-end total assets, including assets of all affiliates. Outside of these limited exceptions, the regulations are designed to apply broadly to any financial institution regulated by DFS.
Requirements
Cybersecurity Program. The proposed regulations would require Covered Entities to develop a cybersecurity program designed to perform certain core functions, including:
- Identification of internal and external cyber risks;
- Use of defensive infrastructure and implement policies and procedures to protect the Covered Entity's information systems and the nonpublic information residing on those systems;
- Detect "Cybersecurity Events," as defined as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System";
- Respond to and mitigate Cybersecurity Events;
- Recover from Cybersecurity Events;
- Fulfill regulatory reporting obligations.
Cybersecurity Policy. Covered entities must also implement a written cybersecurity policy that must be reviewed annually by the board of directors. The policy must set forth procedures that address a minimum of fourteen specified areas, including: Information security; Data governance and classification; Access controls and identity management; Customer data privacy; Vendor and third party management; and Incident response.
Appointment of CISO. Covered Entities are required to appoint a Chief Information Security Officer (CISO) to oversee and enforce the cybersecurity program and policy, and the position must report to the Board, at least bi-annually, on the state of the entity's cybersecurity program.
Third-Party Risk Management. The proposed regulations would require written policies and procedures relating to the cybersecurity practices of third party service providers with access to entity information systems and nonpublic information. A "Third Party Information Security Policy" must address: initial risk assessments and subsequently annual assessments of third party cybersecurity practices, minimum cybersecurity practices required to do business with the Covered Entity, and due diligence processes. In addition, the policies and practices must establish "preferred provisions" to be used in agreements with third parties that hold the third parties contractually accountable for their cybersecurity practices.
Additional Obligations. Additional periodic activities, include: annual penetration testing and risk assessments, quarterly vulnerability assessments, periodic reviews of access privileges, and mandatory cybersecurity awareness training. Moreover, entities will have 72 hours to notify DFS of a Cybersecurity Event, and must have a written incident response plan in place to promptly respond to and recovery from such events.
The proposed regulations would further require that Covered Entities take steps to encrypt nonpublic information being transmitted or held. Covered Entities also will have to implement multi-factor authentication procedures for access to information systems and nonpublic information, and audit trail systems that track and maintain, for six years, financial transaction, accounting, and system access data. Further, entities must limit information system and nonpublic information access privileges solely to those who require such access to perform their responsibilities.
The proposed regulations are currently open for a 45-day public comment period that began on September 28, 2016.