In November, we reported on a proposal by the New York Department of Financial Services (NYDFS) for an extensive cybersecurity framework for its regulated financial institutions. Recently, Governor Cuomo announced a proposed rule requiring banks, insurance companies and other financial services institutions regulated by the NYDFS to establish and maintain a strong cybersecurity program. These regulations include several key requirements for these entities, including:
- Establishment of a cybersecurity program. Institutions would be required to implement policies and procedures to protect against unauthorized use and access to sensitive information. The program should also focus on responsiveness to these incidents and recovery and restoration of business operations.
- Adoption of a cybersecurity policy. The policies and procedures must address several key areas, including information security, data classification and governance, access controls, customer data privacy, risk assessments and incident response.
- Designation of a Chief Information Security Officer (CISO). The CISO would be responsible for oversight and implementation of the cybersecurity program and enforcement of cybersecurity policy.
- Third Party Service Provider oversight. The entity must have policies and procedures ensuring the security of information handled by third parties, including minimum standard cybersecurity practices and periodic assessments of the third party service provider.
Other key requirements of the proposed rule include annual penetration testing; timely destruction of private information, except where necessary; monitoring of authorized users; encryption of nonpublic information in transit and at rest; and a written incident response plan for cybersecurity incidents affecting the confidentiality, integrity or availability of information systems. In addition, regulated entities will be required to provide a yearly report to the NYDFS certifying compliance with the cybersecurity regulations.
Importantly, the proposed rule requires notification to the NYDFS no later than 72 hours after a cybersecurity event that has a reasonable likelihood of materially affecting normal operation, or that includes actual or potential unauthorized tampering with or access to or use of nonpublic information, including any event where notification is provided to a governmental or self-regulatory agency. The proposed rule, however, defines “nonpublic information” broadly. The definition includes:
(1) Any business-related information, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact on the business, operations or security of the entity;
(2) Any information that an individual provides to the entity in connection with a transaction involving a financial product or service provided by the entity;
(3) Any information, except age or gender, that is created by, derived from or obtained from a health care provider or an individual and that relates to the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family or household, or from the provision of health care to any individual, or from payment for the provision of health care to any individual; and
(4) Any information that can be used to distinguish or trace an individual’s identity, including but not limited to an individual’s name; Social Security number; date and place of birth; mother’s maiden name; biometric records; medical, educational, financial, occupational or employment information; information about an individual used for marketing purposes; or any password or other authentication factor.
The broad scope of potentially nonpublic information affected will require entities regulated by the NYDFS to quickly and thoroughly assess the type of information affected by any potential incident and determine whether notification to the NYDFS is necessary.
The rule was published in the New York State Register on September 28, 2016. It is currently in the 45-day comment period prior to final issuance. Upon final issuance, the rule will go into effect on Jan. 1, 2017. In addition, regulated entities will be required to provide the annual certificate of compliance with the cybersecurity regulations beginning on Jan. 15, 2018.
The proposed rule, which is the first of its kind in the nation, will heighten cybersecurity requirements for financial institutions regulated by the NYDFS. While the rule provides a measure of flexibility for institutions of all sizes to efficiently adapt, they will require these institutions to carefully examine their current cybersecurity standards and make adjustments, where necessary, in order to comply.