New York's Department of Financial Services (DFS) has a proposed broad-reaching cybersecurity regulation that would impose new corporate governance, risk management and vendor management requirements on banks and other financial services entities.

What happened

With the threat of cybercriminals continuing unabated, the DFS proposed "first-in-the-nation" regulation for banks, insurance companies and other financial services institutions under its jurisdiction. The "Cybersecurity Requirements for Financial Services Companies" represent minimum standards and were drafted to allow institutions to maintain flexibility to keep pace with technological advances.

"This regulation requires each company to assess its specific risk profile and design a program that addresses its risk in a robust fashion," the DFS wrote. "Senior management must take this issue seriously and be responsible for the organization's cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity's cybersecurity program must ensure the safety and soundness of the institution and protect its customers."

Covered entities include "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law." As a result, nationally chartered institutions, such as national banks, would not be subject to the regulation.

The regulation would require covered entities to establish and maintain a cybersecurity program that is "designed to ensure the confidentiality, integrity and availability" of the entity's information systems and "nonpublic information," including any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information. Certain core cybersecurity functions should be included in the program, according to the regulations, such as identifying internal and external cyber risks, the use of defensive infrastructure, and fulfillment of all regulatory reporting requirements.

Covered entities also need to implement and maintain a cybersecurity policy covering a broad array of topics, from business continuity and disaster recovery planning and resources to incident response to physical security and environmental controls. The policy must be reviewed and approved by the board of directors or an equivalent governing body, DFS said.

If a financial institution has not already done so, the regulations mandate the appointment of a Chief Information Security Officer (CISO) "responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy." The CISO must provide a report to the board (at least biannually) about the state of the program and enforcement of the policies and procedures, made available to the DFS Superintendent upon request.

Third-party access to information systems should receive special attention in a Covered Entity's written policies and procedures, DFS noted. Entities should conduct a risk assessment of all third parties with access to nonpublic information or information systems, establish minimum cybersecurity practices for third parties to do business together, and perform at least annual assessments of the continued adequacy of a third party's cybersecurity practices.

Some of the regulations' requirements are quite granular, such as those mandating limitations on access privileges, the use of multifactor authentication, limits on data retention, and the encryption of nonpublic information (both in transit and at rest).

Covered entities are also required to notify DFS of any cybersecurity event with a "reasonable likelihood of materially affecting the normal operation of the Covered Entity" or "that affects nonpublic information," within 72 hours of becoming aware of the event. The regulations define the term "cybersecurity event" as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System."

DFS offers limited exemptions from the regulations for covered entities with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross revenue over the last three fiscal years, and less than $10 million in year-end total assets.

To read the DFS cybersecurity regulations, click here.

Why it matters

Because of the large number of banks, insurance companies and other financial institutions based in New York, the regulation is likely to have nationwide impact on financial institutions' cybersecurity compliance practices. Set to take effect January 1, 2017, the regulations are based in part on the DFS's recent survey of regulated financial institutions and their cybersecurity practices. "Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with," DFS Superintendent Maria T. Vullo said in a statement. "DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks." Financial institutions should familiarize themselves with the regulations, which could provide the basis for similar standards in other states or from federal regulators.