The New York Department of Financial Services (NYDFS) will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards." All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed regulations.
Financial institutions should be aware of the realistic possibility that any final regulations promulgated by the NYDFS could become the de facto national standard. Financial institutions should carefully consider whether to engage the NYDFS as it moves forward in finalizing the regulations.
Under the proposed regulations, financial institutions will be required to:
-
Adopt a written cybersecurity policy, setting forth policies and procedures for the protection of: information systems and nonpublic information, including data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; monitoring; application development and quality assurance; physical security and environmental controls; customer data privacy; and incident response. The cybersecurity policy must be reviewed by the board and approved by a senior management officer;
-
Designate a qualified individual to serve as the company's Chief Information Security Officer (CISO), who will be responsible for overseeing and implementing the company's cybersecurity program and enforcing its cybersecurity policy. Importantly, the CISO must provide at least biannual reports to the company’s board about the cybersecurity program, including the effectiveness of the program, risks, security incidents, and recommendations on remediation as appropriate;
-
Establish a written incident response plan designed to promptly respond to, and recover from, any broadly defined "Cybersecurity Event." The regulation sets forth seven areas that the incident response plan must address "at a minimum;"
-
Notify the DFS Superintendent within 72 hours of any "Cybersecurity Event that has a reasonable likelihood of affecting the normal operation" of the company, affects nonpublic information, or involves the "actual or potential unauthorized tampering with, or access to or use of, Nonpublic Information."
The proposed regulations also set forth additional elements required for financial institutions' cybersecurity programs. Unlike more generalized guidance that has been issued by other regulators, these detailed regulations describe on a more granular level various security measures that constitute "minimum standards," such as annual penetration testing and risk assessments; logging and audit trail systems capable of "complete and accurate reconstruction" of transactions and accounting relating to cybersecurity events; multi-factor authentication for remote or privileged access to internal systems or database servers; data destruction standards; encryption of all nonpublic information at rest and in transit; and a variety of others.
As previously reported, NYDFS has been working with federal and state regulatory agencies and financial institution associations in developing the new cybersecurity regulations. However, financial institutions seeking to provide input on the final regulations may submit comments during a 45-day notice and public comment period before the regulations are finalized. The comment period begins following the September 28, 2016, publication in the New York State Register before its final issuance.
