The New York Department of Financial Services has adopted detailed cybersecurity regulations for financial institutions. (Here). The NYDFS has filled a vacuum created by the failure of the federal government to act in this important area. Congress has failed to enact any specific requirements; the federal government continues to rely on voluntary efforts and recommended standards. As long as this vacuum continues, state regulators and even foreign governments will push cybersecurity and data privacy requirements on global businesses.
The cybersecurity regulations apply to bank and trust companies, credit unions, life and health insurance companies, mortgage bankers, money transmitters, investment companies and sales finance companies.
The primary requirements of the regulations require covered entities to:
- Adopt a cybersecurity program, including appropriate policies and procedures based on a risk assessment to identify threats and protect against cyberattacks;
- Conduct a periodic risk assessment that includes criteria to evaluate and categorize cyber risks and evaluate the adequacy of existing controls to mitigate such risks;
- Secure board review and approval of the company’s cybersecurity program, including policies and procedures;
- Designate a chief information security officer (CISO) to maintain the cybersecurity program and compliance with the regulations. The CISO has to report annually to the board of directors on its cybersecurity risks;
- Encrypt all nonpublic information in transit and at rest;
- Implement multi-factor or risk-based authentication to access nonpublic information;
- Implement a third-party risk management system for vendors, suppliers and other outside businesses;
- Maintain a log of all business activities so that financial transactions can be audited;
- Requires the board of directors to certify annually that the company is in compliance with the cybersecurity regulations;
- Provide training awareness programs that are updated each year based on an annual risk assessment;
- Notify the NYDFS within 72 hours of any cybersecurity event that has a “reasonable likelihood of materially harming any normal operation of the entity”; and
- Maintain an incident response plan that provides procedures for responding to a cyber event, responsibilities of each official, and communications and remediation requirements.
The NYDFS has specified that a company’s cybersecurity written policy or policies address the following areas: (a) information security; (b) data governance and classifications; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental concerns; (k) customer data privacy; (l) Vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.
The NYDFS regulations require covered entities to provide multi-factor authentication for external access to the company’s internal network unless the CISO certifies that a less burdensome alternative is reasonably secure (or more secure) than a multi-factor authenticated system.
Covered entities have to encrypt nonpublic information in transit or at rest. For legacy systems, encryption of systems at rest will be difficult. Companies have to undertake a careful assessment of their existing systems in order to determine where nonpublic information may be stored.
The company’s cybersecurity program has to include guidelines for protecting internal software development program. Companies also have to develop security tests for applications developed by third party vendors and suppliers. Such a requirement can be burdensome for financial companies that rely on external vendors for a number of internal processes.