On September 13, 2016, the New York Department of Financial Services (DFS) proposed new cybersecurity regulations (Proposed Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the proposed regulations are consistent with the Federal Financial Institutions Examination Council (FFIEC) cybersecurity awareness guidelines and FFEIC’s Information Technology (IT) Examination Handbook (IT Handbook) resources. However, DFS’s Proposed Regulations would go beyond current FFIEC standards and would be the first in-the-nation to require a prescriptive cybersecurity program for financial institutions. New York banks regulated by the federal banking agencies will need to review their existing cybersecurity programs to confirm such programs comply, but many insurance companies and other financial institutions licensed and regulated by the DFS may be challenged to comply by the proposed January 1, 2017 effective date. A link to Proposed Regulations is available here.
While there will be a 180 day compliance transition period from the January 1, 2017 effective date, in-scope entities should promptly begin reviewing their existing cybersecurity policies, procedures and compliance programs to determine if there are any gaps. Some entities, particularly smaller financial institutions may find the compliance deadline aggressive. However, given the economic harm caused by cyberattacks and New York’s status as a financial center, other state and local regulators are quite likely to follow New York’s lead and require banks and financial institutions to adopt similar cybersecurity programs.
This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible. – Governor Cuomo
The Proposed Regulations follow DFS’s February 2015 Report on Cybersecurity in the Insurance Sector which found that 23% of New York insurance companies had been the target of “phishing” or other email scams and DFS’s May 2014 Report on Cybersecurity in the Banking Sector which found that 21% of banks had experienced phishing attacks, so DFS’s proposal is aimed at targeting an understandably concerning issue. What follows is an in-depth summary of the regulations and a comparison with FFIEC standards, along with recommended considerations for entities that may be caught.
Entities in Scope
The Proposed Regulation would apply to all entities licensed, required to be licensed, or subject to other registration requirements under New York banking, insurance or financial services laws (Covered Entities). The Proposed Regulations include a narrow exemption that will likely be applicable only to a small subset of smaller financial institutions or community banks.
The Proposed Regulations prescribe certain written policies and procedures and require Covered Entities to adopt cybersecurity programs designed to ensure the safety and soundness of the institution by safeguarding customer “nonpublic information”. FFIEC defines nonpublic information to mean (i) “personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available. The Proposed Regulation’s formal definition of nonpublic information is broader than FFIEC’s. Covered Entities may find the new definition of nonpublic information present IT and compliance issues when implementing the Proposed Regulations.
Summary of Proposed Regulations & Comparison with Existing FFIEC Standards
The institution would be required to adopt a formal cybersecurity program with six core functions:
- identify internal and external cyber risks by identifying the nonpublic information stored on the Covered Entity’s information systems, its sensitivity and how and who may access it;
- use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s information systems and the nonpublic information stored on those systems;
- detect cybersecurity events;
- respond to identified or detected cybersecurity events to mitigate any negative effects;
- recover from cybersecurity events and restore normal operations and services; and
- fulfill regulatory reporting obligations.
These six cybersecurity functions are similar to FFIEC’s five cybersecurity preparedness functions:
- risk management and oversight,
- threat intelligence and collaboration,
- cybersecurity controls,
- external dependency management and
- cyber incident management and resilience.
However, the DFS proposal adds an additional DFS reporting obligation that may not necessarily be required by other financial regulators.
Federally regulated banks should already have a written cybersecurity policy based on the Office of the Comptroller of the Currency (OCC) Part 30 “safety and soundness” standards, as well as FFIEC examination guidelines. However, banks and other Covered Entities will need to review their cybersecurity policies to confirm that their policies address each of the issues required by the Proposed Regulations. Under the Proposed Regulations, a Covered Entities’ cybersecurity policy must address, at a minimum, 14 different prescribed areas.
Chief Information Security Officer
The FFIEC IT Handbook describes the role and responsibilities of the Chief Information Security Officer (CISO) in a financial institution. The Proposed Regulations go beyond the FFIEC guidelines and require that Covered Entities formally designate a CISO and require that the CISO develop a report, at least bi-annually, for the board of directors that:
- assesses the integrity of the information systems;
- details exceptions to the policies and procedures;
- identifies cyber risks;
- assess the effectiveness of the cybersecurity program;
- proposes steps to remediate any inadequacies; and
- summarizes all material cybersecurity events.
Covered Entities may outsource the CISO function, but would remain responsible for CISO compliance requirements.
Penetration Testing and Vulnerability Assessments
FFIEC guidelines don’t prescribe any specific frequency for penetration tests (so-called Pen Tests) or vulnerability assessments. The Proposed Regulations would require penetration tests at least annually and vulnerability assessments at least quarterly. This could present a compliance challenge for community banks and smaller financial institutions, many of which perform vulnerability assessments on an annual basis. Considering the potential costs from a customer data breach versus the benefits of Pen Tests, community banks and smaller institutions should consider performing Pen Tests and vulnerability assessments quarterly or more frequently depending on the size and complexity of the institution.
Covered Entities would be required to track and maintain cybersecurity records, and all data relating to system access by authorized users and any cybersecurity events, for at least six years.
Covered Entities must limit access privileges to information systems that provide access to nonpublic information solely to those individuals who require such access. Covered Entities must periodically review access privileges.
Any IT applications or programs developed in-house must have their own custom cybersecurity program to ensure secure development practices. The in-house application’s cybersecurity program should also include written policies and procedures assessing and testing security. These policies and procedures must be reviewed at least annually by the CISO.
At least annually, Covered Entities must undertake a risk assessment in accordance with their policies and procedures. The risk assessment must, at a minimum, include criteria for identifying and assessing, and documentation that describes the justification of the identified risks. The risk assessment required under the Proposed Regulations may be undertaken in the context of the inherent risk profile analysis set forth in the FFIEC IT Handbook.
Cybsersecurity Personnel and Intelligence
In addition to naming a CISO, Covered Entities would have to employ IT personnel sufficient to manage the institution’s cybersecurity risk. However, institutions would be permitted to outsource the IT risk management functions to a qualified third party. Covered Entities would also have to provide for and require annual cybersecurity training sessions for its IT and other cybersecurity personnel.
Third Party Information Security Policy
Covered Entities would be required to adopt written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third party vendors. The Proposed Regulations’ third party information security procedures expand upon the OCC’s October 2013 Third Party Risk Management Guidance and the Federal Reserve Board’s December 2013 Guidance on Managing Outsourcing Risk. Under the Proposed Regulations Covered Entities must include preferred provisions in contracts with third party service provides (Preferred Provisions) to require with third party service providers to comply with specified cybersecurity standards, permit auditing, and make certain reps and warranties. It’s unclear whether the Preferred Provisions should be added to existing contracts and service agreements. If not already required, banks and other financial institutions should confirm that Preferred Provisions are included in their policies, procedures and terms of service with third party service providers.
The Proposed Regulations would require Covered Entities use multi-factor authentication for any individual accessing the institution’s internal systems or database servers that store nonpublic information. FFIEC guidelines encourage multi-factor authentication for e-banking and mobile financial services, but don’t require banks to use multi-factor authentication for individuals accessing internal systems or database servers generally. The Proposed Regulations would define multi-factor authentication in a way that permits the use of biometric characteristics. The FFIEC IT Handbook does not specifically address biometric factors but would permit them.
Limitations of Data Retention
Covered Entities would have to adopt policies and procedures for the “timely” destruction of nonpublic information that is no longer needed to provide products or services (except where such information is required to be retained under law). The Proposed Regulations do not suggest a maximum time period for data destruction that DFS would consider “timely”.
Training and Monitoring
The Proposed Regulations would require Covered Entities to adopt policies and procedures designed to monitor authorized users’ activities, detect unauthorized use of information systems and require all personnel to attend regular cybersecurity awareness training.
Encryption of Nonpublic Information
All nonpublic information, both in transit and at rest, must be encrypted unless currently infeasible. To the extent encryption is not feasible, the Covered Entity must develop appropriate controls as an alternative to encryption. The CISO must review and approve any alternative controls.
Incident Response Plan
The Proposed Regulations require an incident response plan similar to FFEIC’s incident response program. The key difference is that the Proposed Regulations don’t specifically address any requirements to file Suspicious Activity Reports or give notice to cybersecurity information sharing organizations (for example, the Financial Services Information Sharing and Analysis Center); however, the Proposed Regulations do require notification to DFS within 72 hours of becoming aware of a cybersecurity event. Some institutions may find the 72 hour notice requirement challenging, especially when they may already be in contact with other regulators or working with federal investigators on the issue. Furthermore, a Covered Entity would be required to deliver a certification to DFS of their compliance with their cybersecurity program every year by January 15.
Whew! That was a lot. So what is not required?
Many states have customer notification requirements in the event of a cybersecurity event. The Proposed Regulations would require notice to DFS within 72 hours of a breach, but not a necessarily public announcement or notice to an institution’s customers that their nonpublic information has been compromised. The Proposed Regulations do not require or recommend that Covered Entities obtain cybersecurity insurance coverage. The omission of cyber insurance in the Proposed Regulations is notable because in December 2014, DFS became the first financial regulator in the nation to include cybersecurity insurance as part of its cybersecurity examination procedures for New York chartered banks. Currently, FFIEC does not require customer notification upon a data breach nor does it require that banks to obtain cyber insurance.