New York Department of Financial Services Previews Rigorous Cybersecurity Rules for Financial Sector
Cybersecurity Regulations: A Predictable Next Step
The NYDFS has taken a keen interest in cybersecurity in recent years and its contemplation of new regulations arise from several years of data collection and reporting on regulated entities’ responses to cybersecurity challenges. Beginning in 2013, NYDFS conducted a series of surveys of regulated entities, requesting detailed information about their cybersecurity practices, including corporate governance practices, frequency of and responses to cybersecurity breaches, cybersecurity budget and costs, third-party vendor safeguards, and future plans on cybersecurity. Guided by the information collected, the NYDFS expanded its information technology examination procedures for regulated financial institutions to focus more on cybersecurity and the conducting of risk assessments.
This focus on cybersecurity as a growing risk, coupled with a principle coined “financial federalism” by former NYDFS Superintendent Benjamin Lawsky, has resulted in the NYDFS leading federal and state regulators in addressing cybersecurity concerns. The principle of “financial federalism” refers to state regulators acting themselves rather than giving deference to “watered down” federal financial regulations developed in the interest of “consistency” and “harmony.” During a speech in February 2015, former Superintendent Lawsky explained financial federalism as warranting a “catalytic role” for states to play in regulating Wall Street, arguing that states “should not be afraid to speak up and act if we spot new risks emerging in the market,” taking into consideration initiatives at the federal level, but not waiting for federal regulators to take the lead. Former Superintendent Lawsky noted that strengthening cybersecurity practices in the financial markets was an example of this principle in action.
Former Superintendent Lawksy further asserted that cybersecurity is the “most important issue that [NYDFS] will face in 2015” and identified three specific initiatives: (1) revising regular examinations of banks and insurance companies to include targeted assessments of cybersecurity preparedness; (2) addressing the cybersecurity of third-party vendors; and (3) supporting the use of multi-factor authentication. As discussed in more detail below, the potential cybersecurity regulations will likely contain requirements relating to each of these three areas.
In his November 9, 2015 letter, Acting Superintendent Albanese echoes former Superintendent Lawsky in stating that cybersecurity is “among the most critical issues facing the financial world today.” He identifies three core views: (1) the speed of technological change and increasingly sophisticated threats means that companies must have dynamic cybersecurity programs; (2) the most sophisticated company cybersecurity programs will essentially be meaningless if third-party service providers with access to data and company systems have inadequate procedures and practices; and (3) the global breadth of cybersecurity risks makes threats ubiquitous.
Areas of Focus for Potential Regulations
In their November 9 letter, the NYDFS contemplates that potential cybersecurity regulations would require regulated entities to adopt comprehensive cybersecurity programs. Robust potential regulations would seek to address the following areas:
- Cybersecurity Governance: policies and practices would be required to address information security, data governance and classification, access controls and identity management, business continuity and disaster recovery preparedness, capacity and performance planning, systems operations and availability concerns, systems and network security, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management, and incident response.
- Third-Party Service Provider Management: policies and procedures would be required to ensure that third-party service providers comply with certain cybersecurity practices including: the use of multi-factor authentication, the use of encryption to protect sensitive data in transit and at rest, cybersecurity incident reporting requirements, indemnification provisions, cybersecurity audits, and certain representations and warranties relating to information security.
- Multi-Factor Authentication: the use of multi-factor authentication would be required for customer access to web applications capturing or displaying confidential information, privileged access to database servers allowing access to confidential information, and remote access.
- Personnel: Regulated entities would be required to designate a Chief Information Security Officer and employ adequate cybersecurity personnel to manage the entity’s cybersecurity risks and perform core cybersecurity functions. Such personnel would be required to receive regular mandatory training.
- Annual Audit and Report: Regulated entities would be required to conduct annual penetration testing, quarterly vulnerability assessments, and maintain an audit trail system. They would also be required to submit to the NYDFS an annual report assessing the cybersecurity program and the cybersecurity risks to the entity.
- Cyber Incident Reporting: Regulated entities would be required to immediately notify the NYDFS of cybersecurity incidents of which the entity’s board is notified and which would have a reasonable likelihood of materially affecting the normal operation of the entity. Reporting would also be required for incidents that would trigger other notice provisions under New York law or involve the compromise of nonpublic personal health information, private information, payment card information, or any biometric data.
While Acting Superintendent Albanese’s letter addresses these areas at a very high level, with specific regulations yet to be proposed, it is notable that some of the items identified would go beyond the regulatory requirements in other existing regimes. For example, a regulatory requirement mandating that covered entities ensure that third parties encrypt sensitive data at rest goes beyond what several other regulatory regimes have typically required. Moreover, prescribing that covered entities obtain indemnification in vendor contracts goes further than existing regulations in terms of potentially dictating what are typically commercially negotiated terms. Finally, the breach notice requirements create notable triggers for notifying the NYDFS, including when an incident creates “a reasonable likelihood of materially affecting the normal operation of the entity” and for any incident where the regulated entity’s board is notified. The latter trigger could have the unintended consequence of chilling communications with a board about cybersecurity incidents.
It will be important for financial institutions regulated by the NYDFS, and vendors who serve those entities, to carefully monitor any actual resulting regulations the NYDFS may propose. Industry will want to carefully assess such proposed regulations and consider participating in the rulemaking process. Given the NYDFS’s outreach to the broad array of FBIIC members and its specific call for further dialogue, collaboration, and regulatory convergence on the topic, industry should also closely monitor the extent to which other federal and state regulators may be influenced by the NYDFS proposal.