New York Department of Financial Services (NYDFS)

New York Department of Financial Services Promulgates First-in-the-Nation State Cybersecurity Regulation

 

On February 16, 2017, the New York Department of Financial Institutions (“DFS“) promulgated a regulation that requires “Covered Entities” to establish and maintain a cybersecurity program designed to protect consumers and the financial services industry itself (the “Regulation“). Report.

A “Covered Entity” means any individual or any nongovernment entity that operates under or is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, Insurance Law or Financial Services Law. Accordingly, Covered Entities include, among others, New York branches and representative offices of foreign banks, but do not include “investment advisers” and “broker-dealers.”

The Regulation is risk-based and includes regulatory minimum standards and encourages Covered Entities to keep pace with technological advances. The Regulation specifically provides protections to prevent and avoid cyber breaches, including:

  • Controls relating to the governance framework for a cybersecurity program, including requirements for a program that is adequately funded and staffed, overseen by qualified management and reported on periodically to the most senior governing body of the organization;
  • Risk-based minimum standards for technology systems, including access controls, data protection including encryption and penetration testing;
  • Required minimum standards to help address any cyber breaches, including an incident response plan, preservation of data to respond to such breaches and notice to DFS of material events; and
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

Of particular relevance to global, diversified financial institutions, (i) a Covered Entity may meet the requirements of the Regulation by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of the Regulation, applicable to the Covered Entity; and (ii) each Covered Entity must implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.

The Regulation will be become effective on March 1, 2017. Covered Entities will be required to annually prepare and submit to the Superintendent of Financial Services a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations” commencing February 15, 2018.

The Regulation provides that, generally, Covered Entities shall have 180 days from March 1, 2017 to  comply with the Regulation. However, certain provisions include additional transitional periods: (i) one year from March 1 to comply with the requirements that, among others, (x) the Chief Information Security Officer report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body, (y) the Covered Entity conduct a risk assessment of its information systems and (z) the Covered Entity provide regular cybersecurity awareness training for all personnel; (ii) 18 months from March 1 to implement risk-based policies, procedures and controls designed to monitor the activity of authorized users of the Covered Entity’s information systems and data and to detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and (iii) two years to comply with the requirement to implement written policies and procedures designed to ensure the security of the information systems and nonpublic information of the Covered Entity that is accessible to, or held by, third‑party service providers.

Bank of Tokyo-Mitsubishi UFJ and MUFG Securities Fined by PRA

 

On February 9, 2017, the Prudential Regulation Authority (“PRA“) issued a notice imposing fines of £17.75m and £8.925m on Bank of Tokyo-Mitsubishi UFJ (“BTMU“) and MUFG Securities EMEA (“MUFG“), respectively, for failing to be open and cooperative. The fines related to enforcement action by the New York Department of Financial Services (“NYDFS“) against both BTMU and MUFG, following which the PRA deemed that the two banks were in breach of the PRA Fundamental Rules.

In particular, it was deemed that they had breached Fundamental Rule 6, which states “a firm must organize and control its affairs responsibly and effectively,” and Fundamental Rule 7, which outlines “a firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.”

It was found by the PRA that BTMU failed to put in place appropriate procedures, systems and controls for communicating information relating to the NYDFS action, and failed to deal with the PRA openly following it. This was despite the action being linked to BTMU’s conduct in New York.

MUFG was fined by the PRA for a similar offense, as it was deemed to have not been open and cooperative in relation to a NYDFS investigation into an individual at the firm. It was deemed that the PRA had not been informed in a timely manner and was therefore deprived the opportunity to rule on the fitness of the individual.

This is the first time the PRA has issued a fine in breach of Fundamental Rules 6 and 7, and this sends out a warning that the PRA should be informed of any sanctions by the regulator in a timely manner, irrespective of the jurisdiction of the regulator.

The full notice is available here.