New York's New Guidelines for Cybersecurity Impact Banks, Insurers, Effective March 1
In 2016, cyberattacks against banks revealed weaknesses in the security of the global banking system and created an ongoing concern for financial institution executives. Effective March 1, 2017, bank compliance departments, which already contend with federal cybersecurity laws and industry-wide cybersecurity guidelines, will face the New York State Department of Financial Services’ (NYDFS) expansion of regulation into cybersecurity risk management. The cybersecurity regulation, which comes into effect March 1, will apply to all entities licensed, required to be licensed, or subject to other registration requirements under New York banking, insurance or financial services laws.
Importantly, New York sets precedent as the first state in the nation to require its financial institutions to establish and maintain a cybersecurity program. Other states are likely to follow suit as consumers and legislators become increasingly focused on the integrity of the financial services industry following high profile attacks.
The rules require covered companies to establish a cybersecurity program, adopt a cybersecurity policy, designate a chief information security officer (CISO), ensure the security of Nonpublic Information held by third parties, and conduct annual penetration testing and bi-annual vulnerability assessments and train personnel on cybersecurity, among other requirements. There will be a 180-day transitional period for covered companies to comply, and businesses must annually prepare and submit to the Financial Services Superintendent a Certification of Compliance with NYDFS, starting February 15, 2018.
Breach Notification Requirement
Notably included is a breach notification deadline of 72 hours for a “Cybersecurity Event,” which means any attempt to gain unauthorized access to an information system and which would require notice to any governmental body or would be reasonably likely to materially harm any material part of the entity’s normal operations.
The regulation requires encryption and other controls to protect “Nonpublic Information,” a category including the following business information:
Business related information which, if tampered with or disclosed without authorization, would cause a material adverse impact to the business, operations or security;
Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
Social security number;
Drivers’ license number or non-driver identification card number;
Account number, credit or debit card number;
Any security code, access code or password that would permit access to an individual’s financial account; or
Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual that relates to:
The past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family;
The provision of health care to any individual; or
Payment for the provision of health care to any individual.
A covered business must establish a cybersecurity program “designed to ensure the confidentiality, integrity and availability” of the covered business’s information systems. The program must perform five core functions:
(1) Identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the covered business’s information systems, the sensitivity of the data, and how and by whom it can be accessed;
(2) Use defensive infrastructure and policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
(3) Detect Cybersecurity Events;
(4) Respond to identified or detected Cybersecurity Events to mitigate any negative impacts;
(5) Recover from Cybersecurity Events and restore normal operations and services; and
(6) Fulfill all regulatory reporting obligations.
At a minimum, the cybersecurity policy must address:
information security, data governance and classification;
access controls and identity management;
business continuity and disaster recovery planning and resources;
asset inventory and device management;
systems operations and availability concerns;
systems and network security;
systems and network monitoring;
systems and application development and quality assurance;
physical security and environmental controls;
customer data privacy;
vendor and third-party service provider management;
risk assessment and incident response.
The cybersecurity policy must be reviewed by the board of directors and approved by a senior officer.
Chief Information Security Officer (CISO)
The CISO must oversee and implement the covered business’s cybersecurity program, and report to the board, at least annually, to review the confidentiality, integrity and security of information systems; detail exceptions to cybersecurity policies and procedures; identify cyber risks; assess the program's effectiveness; summarize all material cybersecurity events.
Third-Party Service Providers
Regulated entities who allow their vendors to access Nonpublic Information will now have to engage in appropriate risk assessment, implement written policies and procedures concerning the minimum cybersecurity practices for vendors, and conduct due diligence processes of third-party vendors and a periodic assessment of third-party vendors’ cybersecurity practices.
While larger banks and insurance companies have built cybersecurity programs following recent and highly publicized intrusions, the regulation will require smaller entities to develop robust cybersecurity programs even when those entities do not have experience with a cybersecurity event.
Covered businesses should quickly consider the following steps to maximize the 180-day transitional period for compliance:
Engage experienced outside counsel and information security experts to conduct a comprehensive risk assessment to evaluate current compliance against the finalized regulation.
Determine the efficacy of the security controls currently in use to safeguard Nonpublic Information and develop additional policies and processes in the event new controls are necessary under the finalized rule.
Establish an internal working group, and with outside counsel and security consultants, create and develop a comprehensive audit plan for the cybersecurity programs, policies and procedures that may be required.
Review third party vendor contracts with counsel and negotiate a contractual addendum that will comply with the finalized regulations’ requirements.