New York’s Proposed Cybersecurity Regulation for Financial Institutions: A Bellwether for Comprehensive Cybersecurity Requirements Elsewhere?

On September 13, 2016, New York Governor Andrew M. Cuomo announced a new proposed regulation that would require banks, credit unions, insurance companies, and other financial services institutions regulated by the New York’s Department of Financial Services (DFS) to implement and maintain a cybersecurity program. This proposal may be a bellwether for similar requirements in other states.

The proposed regulation requires DFS-regulated financial services institutions, including, but not limited to, banks, insurance companies, money service businesses (such as money transmitters and check cashers) and regulated virtual currency operators, to do the following:

• Establish a cybersecurity program that performs five functions:
  1. Identification of cyber risks
  2. Implementation of policies and procedure to protect against unauthorized access or use, or other malicious threats;
  3. Detection of cybersecurity events;
  4. Responsiveness to identified cybersecurity events to mitigate negative events; and
  5. Recovery from cybersecurity events and restoration of normal events and services.
• Adopt a written cybersecurity policy setting forth policies and procedures for the protection of information systems and nonpublic information;
• Require a review of the cybersecurity policy at least annually by the board of directors;
• designate a qualified individual to serve as a Chief Information Security Officer (CISO) responsible for overseeing, implementing the institution’s cybersecurity program and enforcing the institution’s cybersecurity policy;
• implement policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; and
• comply with a number of additional requirements, including annual penetration testing and vulnerability assessments, encryption of all nonpublic information (whether at-rest or in transit), use of multi-factor authentication, employee training, and the obligation to notify the DFS within 72 hours “after becoming aware of a Cybersecurity Event.”

New York’s DFS has published guidance describing the proposed regulation’s requirements.

In his press release Governor Cuomo said “[t]his regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

The proposed regulation is subject to a 45-day notice and public comment period. Of note, several of its requirements go into effect at some point following the effective date of the regulation. For example, the requirement that nonpublic information be encrypted in transit goes into effect one year from the Proposed Regulation’s effective date.

While organizations such as the Federal Financial Institutions Examination Council (FFIEC) have continued to update guidance to financial institutions regarding the components of an appropriate information security program, the DFS proposed regulation would place a great many more requirements on financial institutions.

Other federal and state regulators may follow suit.