On September 13, 2016, the New York State Department of Financial Services (“DFS”) released proposed cybersecurity regulations for financial institutions.1 When the regulations become effective, they will make New York the first state to implement mandatory cybersecurity requirements on financial institutions, though others are now likely to follow New York’s lead. The regulations are the culmination of several years of DFS interest in how financial services companies address cybersecurity issues. The regulations will be open for public comment for 45 days and are set to take effect on January 1, 2017.
The proposed regulations apply to all entities that are licensed or registered under New York banking, insurance, or financial services laws, which include a broad array of institutions, such as: state-licensed banks, savings banks, insurance companies, private bankers, licensed lenders, mortgage companies, and state-licensed offices of non-U.S. banks.2 Under the proposed regulations, covered institutions must appoint a chief information security officer3 and “[s]enior management must take this issue seriously and be responsible for the organization's cybersecurity program and file an annual certification confirming compliance with these regulations.” In addition, the proposed regulations require covered entities to report to DFS within 72 hours any cybersecurity event “that has a reasonable likelihood of materially affecting the normal operation of the entity or that affects Nonpublic Information.”
The proposed regulations require each covered entity to assess its risk profile and design, implement and maintain policies and procedures that are tailored to its needs, addressing, at a minimum:
-
Information security;
-
Data governance and classification;
-
Access controls and identity management;
-
Business continuity and disaster recovery planning and resources;
-
Capacity and performance planning;
-
Systems operations and availability concerns;
-
Systems and network security;
-
Systems and network monitoring;
-
Systems and application development and quality assurance;
-
Physical security and environmental controls;
-
Customer data privacy;
-
Vendor and third-party service provider management;
-
Risk assessment; and
-
Incident response.
Though many of the proposed requirements reflect best practices and are consistent with existing guidance and regulations from other financial industry regulators, covered entities should evaluate their existing policies against the proposed regulations. Such analysis is especially important in light of potential enforcement actions for noncompliance.
1 The proposed regulations are available here. DFS also released additional information about the regulations, available here.
2 The proposed regulations include certain limited exceptions for smaller institutions.
3 A covered entity could fulfill this obligation using a third party service provider if the covered entity (1) retains responsibility for compliance with the regulations; (2) designates a senior officer to oversee the third party service provider; and (3) requires that the third party maintain a cybersecurity program that meets the requirements of the regulations.