Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions. The regulations go final after a 45-day notice and public comment period. At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date. Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt.. In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.
On November 9, 2015, the New York State Department of Financial Services (“NYDFS”) issued a letter that outlined proposed regulations intended to improve the cybersecurity resiliency of regulated financial services institutions. The letter followed risk assessments NYDFS conducted in 2014 and 2015, that revealed industry-wide cybersecurity vulnerabilities. For example, the assessments revealed wide-spread failure by financial institutions to conduct on-site audits of third party vendors that handle sensitive customer information to ensure compliance with contractual requirements. Following those assessments, NYDFS previewed that financial services institutions should be required to implement, among other things, policies and procedures for data and network security, contractual requirements for third party vendors, and guidelines for securing applications. In addition, NYDFS specifically mentioned a series of baseline security requirements, such as multi-factor authentication, designation of a chief information security officer to oversee security and report to NYDFS, employment of personnel to manage cybersecurity risk, and regular risk assessments and vulnerability and penetration testing.
The new proposed regulations set out in a proscriptive format, elements that would be required in the security programs of all regulated financial institutions. Among the key requirements are:
- Broad definition of Nonpublic Information that includes confidential business information as well as individual-related information such as a name, password, or any other information that is linked or linkable to an individual, such as medical, educational, financial, occupational, or employment information, or other information used for marketing purposes.
- Comprehensive data mapping as part of the Cybersecurity Program to identify Nonpublic Information stored on the financial institution’s information systems, the sensitivity of that information, and how and by whom such data is accessed.
- Review by the Board of Directors of the organization’s Cybersecurity Policy and approval by a senior officer.
- Designation of a Chief Information Security Officer who would be required (at least bi-annually) to provide a report to the Board of Directors (and NYDFS, if requested) assessing the Cybersecurity Program, explaining exceptions, identifying risks, proposing remediation steps, and summarizing material cybersecurity events.
- Annual Penetration Testing, Quarterly Vulnerability Assessments, and Annual Risk Assessments that document mitigation steps or risk acceptance.
- Implementation of an Audit Trail System and Application Security policies and procedures for applications used in house.
- Sufficient Cybersecurity Personnel who are trained regularly and required to stay informed about changes in cybersecurity threat and response landscape.
- A written Third Party Information Security Policy for vendors and service providers that establishes policies/procedures for conducting third party due diligence and risk assessments, develops minimum standards, and proscribes annual compliance audits, as well as the development and use of “preferred” contractual provisions addressing key security issues, such as use of multi-factor authentication and encryption, provision of notice of security incidents, and cybersecurity compliance audits.
- Use of Multi-Factor Authentication by employees, availability of multi-factor authentication for individuals using web applications, and use of advanced authentication features that seek additional verification from users if there are anomalies or changes in behavioral patterns.
- Training for personnel, and Monitoring policies for user activity.
- Use of Encryption for Nonpublic Information at rest and in transit.
- Development of an Incident Response Plan to promptly respond to and remediate Cybersecurity Events, which must have clearly defined roles and responsibilities, and be evaluated and revised after Cybersecurity Events.
- Notification within 72 hours to NYDFS of any Cybersecurity Event reasonably likely to affect normal operations or Nonpublic Information (broader than state “personal information” definitions) or upon identification of any material risk of imminent harm to its Cybersecurity Program, and annual certification to NYDFS of compliance with notice requirements.
Regulated financial institutions will have 180 days from the effective date of the rule to comply, and will be subject to enforcement by NYDFS.
If the final regulations mirror the proposed regulations, there are some key things financial institutions should do to get prepared
1. Start with Reviewing Technical Aspects of Existing Cybersecurity Program. Organizations should review their current cybersecurity programs to determine the extent to which they have already implemented, or are in the process of implementing, the key components and requirements that will be mandated by the regulation, particularly as they relate to multi-factor authentication within the enterprise and for use on web accessible applications, encryption at-rest and in-transit, and an audit trail system. Although the rules are not yet final and it will take some time to be adopted and come into effect, regulated entities should expect few material changes to these requirements before the rules become effective given that the technical requirements align closely to what NYDFS outlined almost a year ago in its November 2015 letter. That may also suggest that NYDFS is less likely to approve or accept exceptions.
2. Review Third Party Arrangements/Contracts Immediately. Keeping with a long trend of financial regulators (including FINRA, FFIEC, and the SEC) that are keenly focused on the management of third party vendors, NYDFS’ proposed rule will require significant monitoring and review of third party vendors. Regulated entities with a significant number of vendors (which may include hundreds that have access to Nonpublic Information) should begin by reviewing current contracts and incorporated security requirements/policies for each third party and assess gaps against the proposed rule on a vendor-by-vendor basis. While some of the proposed requirements (e.g., pre-engagement due diligence) are standard practice that many financial institutions have already adopted, many regulated entities (approximately 50% according to NYDFS’ last review) are not conducting audits of third parties to assess contractual compliance.
Regulated institutions should keep a careful eye on any comments submitted and be prepared for further revisions to this particular rule. In response to comments and clarification requests from SIFMA, for example, NYDFS moved away from the position laid out in its November 2015 letter whereby entities “would be required to include internal requirements for minimum preferred terms to be included in contracts” with vendors (with the required provisions including multi-factor authentication, encryption at rest and in transit, etc.). SIFMA inquired whether a regulated entity could accept the risk of engaging a vendor that refused to agree to specific contract terms, or whether they were required to forego engaging such vendors at all. The proposed rule attempts to address that by requiring establishment of “preferred provisions to be included in contracts with third party service providers.”
3. Update Written Policies and Procedures. All regulated entities should review current written policies and procedures, and consider amendments/changes to address the new requirements. For some, it will take time to develop the policies, ensure that they are consistent with existing related policies, and obtain necessary internal approvals before being adopted. Particular focus should be placed on formalizing documentation of risks and exceptions, as those are the most likely materials that may be requested by NYDFS. Special focus should be paid to updating incident response plans, with special focus on the 72 hour breach notification requirement.
4. Schedule Time with the Board of Directors. The requirement that the Board of Directors, or equivalent, review the organization’s cybersecurity program will take time, especially if regulated entities involve outside experts to help board members understand the program also a best practice to ensure they are fulfilling their fiduciary duties as board members.