Enter to open, tab to navigate, enter to select
NY Department of Financial Services Cybersecurity Regulations for Banks
Practical Law Article w-003-5913 (Approx. 8 pages)
NY Department of Financial Services Cybersecurity Regulations for Banks
by Practical Law Finance
| Published on 21 Nov 2016 • USA |
This Article discusses the cybersecurity program requirements that financial institutions would be required to meet under the recently-proposed New York State Department of Financial Services' regulations.
On September 13, 2016, the New York State Department of Financial Services (NYDFS) announced its intention to require covered financial institutions to comply with new cybersecurity regulations that safeguard information systems and nonpublic information. Covered institutions would include financial services companies that are required to have authorization to operate under the New York State banking, insurance or financial services laws. Entities that have fewer than 1000 customers, less than $5 million in gross annual revenue and less than $10 million in year-end total assets would be exempt from some of these requirements.
The proposed regulations are subject to a 45-day public notice and comment period, running from September 28, 2016, the day the proposal was published in the New York Register. If the regulations are approved, they would go into effect on January 1, 2017, and would allow institutions 180 days from their effective date to become compliant.
The broad and comprehensive proposed regulations go beyond what is currently explicitly required under federal regulations in many respects, and also codify many best practices and self-regulatory standards that are already in place. Due to the large volume of nonpublic information that financial institutions hold, both in terms of proprietary information regarding systems operations as well as private customer information, most financial entities should already have cybersecurity programs that address most of the requirements to be imposed by the NYDFS.
For more information on cybersecurity for banks, see Article, Cybersecurity for Banks: The Legal and Regulatory Framework.
To be compliant with the proposed NYDFS regulations, a covered entity must:
- Develop a Cybersecurity Program. Under the proposed NYDFS regulations, covered entities must develop, establish and maintain a cybersecurity program that ensures the confidentiality, integrity, and availability of the entity's information systems. The NYDFS proposal has many similarities to existing information security programs required under the Federal Trade Commission Act (FTC Act), Gram-Leach-Biliey Act (GLBA), and the Dodd-Frank Act (see Practice Notes, US Privacy and Data Security Law: Overview, GLBA: The Financial Privacy and Safeguards Rules, and FTC Data Security Standards and Enforcement). The National Institute of Standards and Technology has also issued guidance on implementing a cybersecurity framework, but does not specifically address financial institutions (see Practice Note, The NIST Cybersecurity Framework). While the NYDFS proposal may in some areas be more stringent than existing requirements, the current federal requirements provide valuable insights to the implementation of an effective cybersecurity program under the NYDFS. In many respects, the newly issued NYDFS regulations reflect existing legal requirements combined with industry best-practices already in effect at many intuitions. Specifically, under the NYDFS proposal, covered entities must:
- Identify internal and external risks by, at a minimum, identifying the nonpublic information stored, the sensitivity thereof, and the individuals and outside entities that have either physical and electronic access to it. Under most state laws, financial institutions already have an obligation to safeguard certain nonpublic information, such as personally identifiable information (PII), and require notification of either customers, regulators or both when breaches in security occur (see Practice Notes, State Data Breach Laws Protected Personal Information Chart: Overview and State Data Breach Laws Agency Notice Requirements Chart: Overview). Under the proposed NYDFS regulations, nonpublic information also includes information that, if tampered with, would cause a material adverse impact on the business operations or security of the entity.
- Use defensive infrastructure, which would enable the institution to detect cybersecurity events and respond to mitigate their negative effects. Additionally, policies should dictate how entities will recover from cybersecurity events and fulfill regulatory obligations related to reporting events to regulators. (For related material on cyber-attack prevention and response, see Practice Notes, Cyber Attacks: Prevention and Proactive Responses and Cybersecurity Tech Basics: Hacking and Network Intrusions: Overview: Attack Prevention, Detection, and Response.)
- Create Written Cybersecurity Policies Addressing Specific Areas. Under the NYDFS regulations, the covered entities must have written cybersecurity policies addressing specified areas. The written policies are required to be reviewed and approved annually by a senior officer and the board of directors, and must address, at a minimum:
- information security (for guidance on drafting information security policies, see Practice Note, Developing Information Security Policies);
- data governance (for guidance on drafting data governance policies, see Practice Note, Developing Information Security Policies: Customer Information: Managing Intake, Maintenance, and Customer Requests);
- access controls (for guidance on drafting access control policies, see Practice Note, Developing Information Security Policies: Key Policy Topics: People: Roles, Access Control, and Acceptable Use);
- business continuity and disaster recovery planning and resources (for guidance on drafting disaster recovery policies, see Practice Notes, Cyber Attacks: Prevention and Proactive Responses: Recovery and Follow-up After a Cyber Attack and IT Outsourcing: Special Issues in IT Outsourcing Transactions: Disaster Recovery);
- capacity and performance planning (for a brief discussion on capacity concerns in the context of outsourcing cybersecurity, see Practice Note, IT Outsourcing: Special Issues in IT Outsourcing Transactions: Data Centers and Hosting: Striking a Balance for Service and Other Issues);
- systems operations and availability concerns;
- systems and network security (for guidance on drafting systems and network security policies, see Practice Note, Cybersecurity Tech Basics: Hacking and Network Intrusions: Overview and the FTC's Protecting Personal Information: A Guide for Business);
- systems and network monitoring (for guidance, see Practice Note, Cybersecurity Tech Basics: Hacking and Network Intrusions: Overview: Attack Prevention, Detection, and Response: Detecting and Responding to Attacks);
- physical security and environmental controls (for guidance, see Common Gaps in Information Security Compliance Checklist: Gaps in Technical and Physical Safeguards);
- customer data privacy (for guidance, see Practice Notes, GLBA: The Financial Privacy and Safeguards Rules: The Financial Privacy Rule and State Data Breach Laws Protected Personal Information Chart: Overview);
- third-party service provider management (for guidance, see Practice Notes, Managing Privacy and Data Security Risks in Vendor Relationships and Data Security Risk Assessments and Reporting: Service Provider and Supply Chain Risk Assessment, and Standard Document, Data Security Contract Clauses for Service Provider Arrangements (Pro-Customer));
- risk assessment (for guidance, see Practice Note, Data Security Risk Assessments and Reporting: Common Forms of Data Security Risk Assessments); and
- incident response (for guidance, see Practice Note, Cyber Attacks: Prevention and Proactive Responses: Cyber Incident Response Plans).
- Designate a Chief Information Security Officer. Covered entities must appoint a Chief Information Security Officer (CISO) who is responsible for implementing, overseeing, and enforcing cybersecurity policies. Cross-functional support of an information security program is already recommended as a best practice in many industries (see Practice Note, Developing a Privacy Compliance Program: Core Privacy Program Functions: Assembling Cross-Functional Support), and the chief compliance officer also plays a large role in preventing and responding to cybersecurity threats (see Practice Note, Cyber Attacks: Prevention and Proactive Responses: Chief Compliance Officer's Role in Cyber Attacks). Part of the Chief Information Security Officer's duties will include forming a report, on a bi-annual basis, that addresses the state of the cybersecurity program. The report must be presented to the board of directors and be available to the DFS on request. The report must address:
- the confidentiality, integrity and availability of the entity's information system;
- any exceptions to the cybersecurity policies and procedures;
- identified cyber risks to the covered entity;
- the effectiveness of the covered entity's cybersecurity program;
- steps required to remediate inadequate portions of the program; and
- a summary of all material cyber security events that occurred during the time period the report covers.
- Conduct Annual Penetration Testing and Quarterly Vulnerability Assessments. The cybersecurity program for each covered entity must, at a minimum, include:
- penetration testing of the entity’s information systems at least annually; and
- vulnerability assessments of the entity’s information systems at least quarterly.
These assessments are already part of recognized cybersecurity best-practices, and are included in many risk assessment programs (see Practice Note, Data Security Risk Assessments and Reporting: Common Forms of Data Security Risk Assessments). - Maintain Audit Trail Information. Retained information must enable the entity to track and maintain data that can:
- reconstruct financial transactions;
- track privileged authorized user access;
- protect audit trail data from tampering or alteration;
- protect hardware from alteration or tampering, including by restricting electronic and physical access and maintaining logs of access;
- log system events; and
- maintain records for six years.
- Access Privileges. As part of its cybersecurity program, covered entities must limit access privileges to information systems solely to those individuals who require such access in order to perform their responsibilities and shall periodically review such access privileges.
- Application Security. Covered entity cybersecurity programs must, at a minimum, include written procedures, guidelines and standards designed to ensure the use of secure development practices for applications developed in-house, as well as procedures for assessing and testing the security of all externally developed applications. These standards must be reviewed and updated by the Chief Information Security Officer at least annually.
- Risk Assessment. Covered entities must at least annually conduct a risk assessment of their information systems. Risk assessments must be carried out in accordance with written policies and procedures, be documented in writing, and include at a minimum:
- criteria for the evaluation and categorization of identified risks;
- criteria for the assessment of the confidentiality, integrity and availability of the information systems; and
- requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment.
- Hire and Maintain Adequate Cybersecurity Personnel. An entity must have personnel sufficient to manage the covered entity's cybersecurity risks, which includes providing sufficient training for employees and other personnel (for related NIST guidance on cybersecurity training, see Legal Update, NIST Releases Draft Model for Cybersecurity Training). Sufficient training for personnel under NYDFS regulations include:
- requiring employee attendance at regular update and training sessions; and
- requiring employees to stay abreast of changing cyber threats and countermeasures.
- Implement Measures to Ensure Third-Party Security. The NYDFS regulations require that entities have written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties. (For more on privacy and data security in the context of vendor relationships, see Practice Notes, Managing Privacy and Data Security Risks in Vendor Relationships and Data Security Risk Assessments and Reporting: Service Provider and Supply Chain Risk Assessment and Standard Document, Data Security Contract Clauses for Service Provider Arrangements (Pro-Customer).) These policies and procedures must, at a minimum, address:
- the identification and risk assessment of third parties with access to the bank's information systems or nonpublic information;
- minimum cybersecurity practices for third parties to be eligible to do business with the entity;
- due diligence processes to determine the adequacy of third party cybersecurity practices; and
- periodic assessments, at least annually, of the continued adequacy of third-party systems.
These third party policies and procedures must also establish provisions for inclusion in third-party vendor contracts, including provisions requiring:- use of multi-factor authentication for limiting access to sensitive information systems and nonpublic information;
- use of encryption to protect nonpublic information in transit and at rest;
- prompt notice to be provided to the covered entity in the event of a cybersecurity event affecting the third party service provider;
- identification of protection services to be provided for any customers materially impacted by a cybersecurity event that results from the third party service provider’s negligence or willful misconduct;
- representations and warranties from the third party service provider that the service or product provided to the covered entity is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the covered entity’s information systems or nonpublic information; and
- the right of the covered entity or its agents to perform cybersecurity audits of the third party service provider.
- Require Multi-Factor Authentication for Access to Nonpublic Information. Each covered entity must:
- require multi-factor authentication for any individual accessing the covered entity’s internal systems or data from an external network;
- require multi-factor authentication for privileged access to database servers that allow access to nonpublic information;
- require risk-based authentication in order to access web applications that capture, display or interface with nonpublic information; and
- support multi-factor authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.
These requirements are similar to those imposed under the Payment Card Industry Security Standards Counsel (PCI SSC) updated data security standard (see Legal Update, PCI SSC Publishes Updated Data Security Standard). - Implement Limitations on Data Retention. The NYDFS regulations requires destruction of nonpublic information after it is no longer required to provide the products or services for which the information was originally supplied. (For related best-practices in data retention, see Document Retention Policy: US Checklist.)
- Training and Monitoring. Covered entities must:
- implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and
- provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the covered entity in its annual assessment of risks.
- Encrypt Nonpublic Information. All nonpublic information must be encrypted, both in transit and while being stored. There will be a phase-in period for encryption, allowing alternative compensating controls for encryption for one year after the effective date of the regulations, if encryption is currently not feasible.
- Implement an Incident Response Plan. Entities must have a written plan to respond to and recover from adverse cyber events or decreased functionality of its business. The plan must address:
- the internal processes for responding to a cybersecurity Event;
- the goals of the incident response plan;
- the definition of clear roles, responsibilities and levels of decision-making authority;
- external and internal communications and information sharing;
- remediation of any identified weaknesses in information systems and associated controls;
- documentation and reporting regarding cybersecurity events and related incident response activities; and
- the evaluation and revision of the incident response plan following a cybersecurity event. (For related guidance, see Practice Note, Cybersecurity Tech Basics: Hacking and Network Intrusions: Overview: Attack Prevention, Detection, and Response: Detecting and Responding to Attacks.)
- Provide Notice to Regulators of Cybersecurity Events. The NYDFS regulations require that entities report cybersecurity events that have a material likelihood of materially affecting normal operations or nonpublic information to the Superintendent within 72 hours. Therefore, covered entities must have an incident reporting mechanism in place, including a written incident plan, that will facilitate internal processing of cybersecurity events and the required external reporting.