The new cybersecurity rules proposed by the New York
State Department of Financial Services require financial services institutions
to have extensive cybersecurity protections in place; including cybersecurity
programs, policies, personnel, risk assessments, trainings, and breach
reporting within 72-hours.
As we recently reported, the New York State
Department of Financial Services (DFS) issued a set of proposed cybersecurity
rules for New York financial services companies (Rules), in response to the
many high profile cybersecurity breaches and hacks over the past few years. The
Rules set minimum standards for financial services companies in an effort to
keep their sensitive financial data and systems, and their customers' personal
information, safe from breach and from cybercriminals. While many financial
institutions already have robust cybersecurity programs which may be similar to
the minimum standards set by the Rules, the Rules will also require each
institution to jump through at least a few additional hoops, such as conducting
audits, regularly certifying their compliance, and appointing a Chief
Information Security Officer.
Who is covered under the Rules?
The Rules apply to almost all individuals, partnerships, and corporations
operating in the banking, insurance and other financial services industries
within New York and regulated by the DFS. They require all entities that are
operating under a license, registration, charter, certificate, permit,
accreditation or similar authorization under New York banking, insurance, or
financial services laws to meet the minimum standards set forth. See §
500.01(c). This includes state-chartered commercial banks and state-licensed
branches and agencies of foreign banks.
However, the Rules include limited exemptions for smaller entities.
Entities with fewer than 1,000 customers, less than $5M in gross annual
revenue, and less than $10M in total assets (including affiliates) are exempt
from the requirements involving the maintenance of specific cybersecurity
personnel and conducting trainings, audits, and vulnerability tests. See §
500.18(a).
What do the Rules require?
The Rules can be found here, along with a helpful
overview, which can be found here. They require the following of financial services
companies:
- Program: Establishment and maintenance of a
cybersecurity program. See § 500.02. As well as certain measures described
in more detail below, the program must include:
- An infrastructure to protect the company's
sensitive information systems and private information from unauthorized
access, use, and malicious attacks;
- A mechanism for detecting unauthorized
access, or attempted breaches, of the information systems, terminating
the detected breaches, and recovering from breaches; and
- An adherence to all regulatory reporting
obligations.
- Policy: Maintenance of a written
cybersecurity policy. See § 500.03(a). he policy must be reviewed annually
by the board of directors and approved by a senior officer responsible for
compliance or information services security. See § 500.03(b). The cybersecurity policy must address:
- Security measures currently in place to
protect the information systems and customer data privacy;
- Procedures to maintain, monitor, and
update the information systems and networks, including management of
third-party service providers;
- Assessments of the information systems'
security risks and operations concerns; and
- Procedures to respond and recover from
security breaches.
- Encryption: Encryption of all
nonpublic information in transit and at rest unless infeasible. See § 500.15.
- Multi-Factor
Authentication: Employment of multi-factor and risk-based authentication for
logging into information systems. See §
500.12.
- Application
Security: Adoption
of procedures (with annual reviews) for secure development practices for
all in-house developed application and assessment and security testing of
all externally developed applications. See §
500.08.
- Third
Party Information Security: Implementation of written policies and procedures regarding the
security of the company's information systems and nonpublic information
that are accessible by third parties doing business with the company. See § 500.11.
- Data
Retention Limitations: Implementation of policies and procedures for the timely
destruction of any nonpublic information. See §
500.13.
- Testing
and Risk Assessment: Testing of the company's cybersecurity program and assessment of
risks to the company's information systems. See §§ 500.05; 500.09. The
testing must include a quarterly vulnerability assessment in addition to
an annual penetration test. A formal risk assessment report, evaluating
and categorizing the identified risks, must also be drafted annually.
- Personnel: Retention of
cybersecurity personnel. See §§ 500.04; 500.10.
Specifically:
- Appointment
of a Chief Information Security Officer, who is responsible for:
- implementing
the cybersecurity program and enforcing the cybersecurity policy, and
- drafting
a biannual report detailing the integrity of the information systems and
cybersecurity program and summarizing any security breaches and attempts
that occurred; and
- Employment of a cybersecurity team to
manage the cybersecurity program and run the day-to-day cybersecurity
functions.
- Training: Implementation of and attendance by
cybersecurity personnel at cybersecurity trainings. See §§ 500.10(2);
500.14. The cybersecurity team must attend regular cybersecurity trainings
to keep updated on ever-changing cybersecurity threats and
countermeasures. Additionally, all employees must attend cybersecurity
awareness training sessions.
- Access Privileges: Limitation and
periodic review of access privileges to the company's information systems
solely to those individuals who need access as part of their roles. See § 500.07.
- Audit Trail: Maintenance of an audit
trail system to track and log all financial transactions. See § 500.06.
- Incident Response Plan: Establishment of a
written incident response plan designed to promptly respond to and recover
from a cybersecurity breach. See §
500.16.
- Reporting and Certification: Reporting serious
cybersecurity breaches to the Superintendent of Financial Services within
72 hours. See § 500.17. Additionally, each financial services company must
annually certify that it is in compliance with the new regulations. See §
500.17. A model certification of compliance is attached as Appendix A of
the Rules.
When will the Rules become effective?
The Rules are set to be published in the New York State register on
September 28, 2016, after which they will enter a 45-day notice and public
comment period prior to final issuance. See Press Release. The Rules become effective
as of January 1, 2017. See § 500.20. However, financial institutions covered by
the Rules will have 180 days to comply with the new requirements. See § 500.21.
Conclusion
The Rules are publicized as the first of their kind in the country and
initial reactions to them have varied. Some believe they will have a minimal
impact on large financial services institutions which already invest heavily in
sophisticated cybersecurity programs but will be most harshly felt by smaller
companies, which could have to pay upwards of millions of dollars to update
their cybersecurity programs to meet the minimum requirements. Others see the
Rules as a welcome effort to increase the overall level of cybersecurity in
critical industries that face ever-increasing risks of cybercrime and
cyberterrorism. The overall effectiveness of the Rules can only be speculated at
this point. However, what is likely is that other states and even the federal
government may adopt similar regulations in the near future.
As for implementing the Rules, the Federal Financial Institutions
Examination Council ("FFIEC") has issued extensive material on
cybersecurity awareness but has not put that guidance into the form of a
regulation. A covered institution might want to refer to this FFIEC guidance in
implementing the Rules.
No comments:
Post a Comment