On September 13, New York Governor Andrew Cuomo and the New York Department of Financial Services (NYDFS) announced new regulations that, if put into effect, would impose a myriad of cybersecurity requirements on banks, insurers, money services businesses and other financial institutions operating under New York law to protect sensitive, nonpublic information.
While deploying cybersecurity measures to protect sensitive financial data – including consumers’ account information – is nothing new for financial services companies, the Empire State’s proposed regulations appear to be the first time a state has attempted to closely regulate financial services companies’ cybersecurity efforts directly either through legislation or imposing formal rules. Other states may be expected to follow suit.
Under the NYDFS’ proposed regulations, a company operating under New York’s banking, insurance, or financial services laws must establish a “cybersecurity program” designed to ensure the confidentiality, integrity, and availability of its information systems. The cybersecurity program must incorporate the following, among other things:
- Conducting annual penetration tests and quarterly vulnerability scans of its systems;
- Encrypting all nonpublic information in transit and at rest or implementing compensating controls;
- Implementing detailed audit trail systems to reconstruct financial transactions, log access privileges, and system events;
- Monitoring authorized users and deploying measures to detect unauthorized access;
- Creating an incident response plan; and
- Conducting regular cybersecurity training for employees.
It is unclear how the detailed requirements in the regulation will remain current or effective as financial services companies adopt new and enhanced technology protections in response to evolving cyberthreats.
Beyond developing a cybersecurity program, a financial services company must take other steps under the proposed rules, including:
- appointing a Chief Information Security Officer (CISO) and employing cybersecurity personnel to implement the cybersecurity program;
- utilizing multi-factor authentication;
- developing a third party information security policy requiring third party vendors to have minimum cybersecurity practices and mandating periodic vendor monitoring;
- maintaining a written cybersecurity policy; and
- notifying the NYDFS within 72 hours of a “cyber event” – which is defined broadly in the proposed regulation as any attempt to gain unauthorized access to, disrupt or misuse a financial services company’s information system or data stored on such system, regardless of whether the attempt is successful.
Although the proposed cybersecurity regulations are extensive, New York isn’t venturing into entirely uncharted territory. Indeed, regulators and entities such as the Federal Financial Institutions Examination Council (FFIEC) already offer guidance for banks and other institutions on many of these measures. The FFIEC, for instance, currently provides a Cybersecurity Assessment Tool to help institutions assess their cyber risk. This past June, the FFIEC also published a reminder to financial institutions about the importance of actively managing cyber risks consistent with current regulatory expectations. The reminder, which took the form of a joint statement from the FFIEC members, advised additional measures to prevent unauthorized access to information systems, such as: employing up-to-date firewalls and anti-virus protections, encrypting sensitive data in transit and at rest, conducting regular access audits, and utilizing multi-factor authentication, among other suggested measures. Consequently, financial services companies covered by such guidance may already comply with New York’s proposed rules. The significance, however, is that states are starting to take a more active role in developing mandatory cybersecurity standards for companies under their jurisdiction. We may thus see other states follow New York’s lead and impose their own cyber regulations on companies within their borders, much as other states developed their own consumer data breach notification statutes after California paved the way in 2003.
If the past is any guide, in the coming years companies may face a state-by-state patchwork of cybersecurity standards in lieu of a uniform, national standard (much like we currently see with consumer breach notification requirements), adding more complexity to the cybersecurity and financial services regulatory landscape.
The NYDFS’ proposed rules were published in the New York State Register on September 28, and public comments were due Monday, November 14. The proposed rules will become effective after they are published in the New York State Register.