Last September, New York’s Department of Financial Services (DFS) took a major step forward in its efforts to improve the cybersecurity posture of financial institutions (including banks and insurance companies) by proposing the first-in-country cybersecurity regulations. By any measure, the proposed regulations are comprehensive and demanding, and admittedly are intended by DFS to be "groundbreaking." The proposal contains a number of prescriptive requirements that are substantially more rigorous than current best practices and would require major operational changes for many organizations.
Key Components
The regulations would require entities to fulfill a variety of requirements, including the establishment of a cybersecurity program, and the adoption of a cybersecurity policy, which must be approved by the board or by a senior officer, and which encompasses key risk areas including information security, access controls, business continuity, data privacy, vendor management and incident response.
See also: If the Regulations Don’t Fit, You Must…
The proposal would also require covered entities to designate a chief information security officer (CISO), who will be responsible for implementing, overseeing and enforcing the cybersecurity program and policy. The CISO would need to develop a report, at least bi-annually, that addresses a prescribed list of issues. The report would then be presented directly to the company’s board. The board chair or a senior office would be required to submit an annual certification of compliance with the regulations, which might expose the individual to liability if the entity is, in fact, noncompliant.
In addition, the proposed regulations broadly define a “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.” The covered entity would be required to notify the superintendent of financial services within 72 hours of any such event if it "has the reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information." This raises the question of how an unsuccessful attack could ever have a reasonable likelihood of materially affecting operations or protected information. But a fair reading of the reporting mandate in light of the definition would not appear to allow for blanket disregard of failed attacks, even though major financial institutions thwart countless potentially devastating attacks on a daily basis. If this proposed requirement becomes part of the final regulation, the burden on covered entities and the DFS itself may be quite substantial.
Covered entities also would need to encrypt nonpublic information in transit and at rest. Although compensating controls approved by the CISO can be used if encryption is not currently feasible, the regulations would impose deadlines of January 2018 and January 2022 for encryption of data in transit and at rest, respectively. Encryption of at-rest data is likely to be one of the most challenging DFS requirements.
The proposed regulations contain many additional requirements, including:
- Implement a fully documented incident response plan;
- Maintain audit logs on system changes for six years;
- Annually review and approve all policies and procedures:
- Dispose of, in a timely manner, sensitive information that is not needed to provide services;
- Use multi-factor authentication for privileged access to database servers that allow access to nonpublic information;
- Adopt policies, procedures and controls to monitor authorized users and detect unauthorized access; and
- Institute mandatory cybersecurity awareness training for all personnel.
