New York Governor Andrew Cuomo announced last week a first-of-its-kind cybersecurity program for New York-regulated financial services companies that would impose broad new cybersecurity program requirements and require the appointment of a Chief Information Security Officer. In addition to having the capacity to identify cybersecurity risks and deter or prevent data breaches, entities regulated by the New York Department of Financial Services (DFS) would be required to establish a cybersecurity program that can mitigate the negative effects of a breach and restore normal operations and services, typically through backup and redundant capabilities. A compliant program would include annual penetration testing, employee training and an audit trail system.
The proposed regulation would also require the adoption of a written cybersecurity policy that addresses not only traditional network security and controls like encryption and multifactor authentication, but also:
- business continuity and disaster recovery planning and resources
- capacity and performance planning
- systems operations and availability concerns
- systems and network security and monitoring
- systems and application development and quality assurance
- physical security and environmental controls
- customer data privacy
- vendor and third-party service provider management (which themselves are required to have minimum cybersecurity practices and be periodically assessed at least annually)
- risk assessment
- incident response.
While the specificity in the draft regulation provides a useful road map for firms looking to bring their policies up to date, it also underscores the need for institutions to ensure that unwritten or informal policies, even where followed rigorously, are properly documented. The current draft also broadly defines “nonpublic information” that must be protected by encryption to include “any information that can be used to distinguish or trace an individual’s identity.”
The regulation also requires that a firm’s cybersecurity policy be implemented by a designated Chief Information Security Officer who reports at least biannually to the board of directors on certain designated topics, including breach reports and the remediation of deficiencies. Significantly, the regulations require that the DFS be informed of any material breaches within 72 hours of their discovery.
While the Securities and Exchange Commission has monitored and enforced cybersecurity at registered investment advisers since 2014 through its Office of Compliance Inspections and Examinations, this represents a significant step by the DFS to regulate the cybersecurity policies and practices of financial institutions. Prior to proposing the regulation, the DFS surveyed almost 200 regulated banking and insurance institutions to identify best practices and emerging risks. The DFS has been particularly focused on risks posed by third-party service providers, as detailed in an April 2015 DFS report titled “Update on Cyber Security in Banking Sector: Third-Party Service Providers.”