After surveying nearly 200 regulated financial institutions to obtain insight into the industry’s efforts to prevent cybercrime and meeting with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors, the New York State Department of Financial Services (NYDFS) recently released its proposed cyber security regulation. The proposed regulation, titled “Cybersecurity Requirements for Financial Services Companies”, if implemented, would be a first-in-the-nation provision that requires a mandatory cybersecurity program for financial institutions.
Cybersecurity Program. The proposed regulation’s primary purpose is to ensure that all covered financial institutions have a cybersecurity program in place designed to perform the following functions:
- identify internal/external cybersecurity risks;
- use defensive infrastructure to protect covered information;
- detect “cybersecurity events”;
- respond to and mitigate “cybersecurity events”;
- recover from “cybersecurity events”; and
- fulfill regulatory reporting obligations.
Among other things, the cybersecurity program must include/address: (i) penetration testing of the covered financial institution’s information system at least annually, (ii) vulnerability assessment of the institution’s information systems at least quarterly, (iii) implementation and maintenance of audit trail systems, (iv) limitations on access privileges to information systems that provide access to nonpublic information solely to those individuals who require such access to such systems in order to perform their responsibilities, (v) written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the institution, as well as procedures for assessing and testing the security of all externally developed applications utilized, and (vi) encryption of all nonpublic information held or transmitted by the institution both in transit and at rest.
Cybersecurity Policy. Covered financial institutions must also adopt a implement and maintain a written cybersecurity policy, which must address, among other things, information security, business continuity and disaster recovery planning and resources, systems and network security, vendor and third-party service provider management, risk assessment and incident response. The proposed regulation would require that the cybersecurity policy be reviewed by the board of directors and approved by a senior officer at least annually.
Chief Information Security Officer (CISO). Each covered financial institution is also required to designate a CISO responsible for overseeing and implementing the covered financial institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO is required to develop a report, at least a bi-annually, for the board of directors of the covered financial institution (i) assessing the confidentiality, integrity and availability of the covered financial institution’s systems; (ii) detailing exceptions to the institution’s cybersecurity policies and procedures; (iii) identifying cyber risks to the institution; (iv) assessing the effectiveness of the institution’s cybersecurity program; (v) proposing steps to remediate any inadequacies identified in the institution’s cybersecurity program; and (vi) summarizing all material cybersecurity events that affected the institution during the time period addressed by the report.
Multi-Factor Authentication. The proposed regulation also requires multi-factor authentication for (i) any individual accessing the Covered Entity’s internal systems or data from an external network; (ii) privileged access to database servers that allow access to Nonpublic Information.
Incident Response. Each covered financial institution shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event affecting the confidentiality, integrity or availability of the institution’s information systems. Such incident response plan shall, at a minimum, address the following areas: (i) the internal processes for responding to a cybersecurity event; (ii) the goals of the incident response plan; (iii) the definition of clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding cybersecurity events and related incident response activities; and (vii) the evaluation and revision of the incident response plan following a cybersecurity event.
Notice of Cybersecurity Event. The proposed regulation also requires each covered financial institution to notify the superintendent, within 72 hours after becoming aware, of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the institution or that affects nonpublic information.
With the industry-wide shift toward increased regulation of cybersecurity, financial institutions that are not subject to the NYDFS’s proposed regulations may wish to pay attention to the regulation and implement some of its requirements as “best-practices” as it would not be surprising for this type of regulation to begin appearing in other states as well.