For financial firms that do business in New York, a fast-approaching Aug. 28 deadline is an important reminder that new cyber-security demands in that state will bring waves of cost, complexity, and compliance.
For about a year, New York’s Department of Financial Services (NYDFS) has hammered out enhanced cyber-security expectations for financial institutions that fall within its oversight. The agency’s regulations will impose a host of new security, personnel, attestation, and reporting requirements.
In large part, the impetus for the state rules, according to NYDFS, is research showing that, despite heightened cyber-security risks, roughly 36 percent of banks still don’t have a chief information security officer.
The new rule regime has many in the world of financial firms on pins and needles.
“Certain components of the compliance obligations, like attestation and some of the broader requirements put in place” are costly, broad challenges, says Douglas Landy, a partner in law firm Milbank’s global leveraged finance group.
Smaller firms will need to invest more in cyber-compliance. Larger firms, more likely to have in-house systems and personnel, “need to know they are meeting these tests, which are still a little vague,” Landy says. “We will need to see where it goes. Compliance officers are concerned about open-ended liability. Everybody is going to get hacked. If the U.S. government can’t stop itself from being hacked, it is unfair to ask private institutions to have zero sum, no hacking.”
In greater detail, New York’s rules will require that banks, insurance companies, and other financial services institutions overseen by the NYDFS establish a cyber-security program. Firms are also expected to adopt a written cyber-security policy; designate a chief information security officer responsible for implementing, overseeing, and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and non-public information accessible to, or held by, third-parties.
Each covered entity will be required to implement and maintain a written cyber-security policy detailing policies and procedures for the protection of information systems and the non-public information stored on those systems. At a minimum, they must address:
access controls and identity management;
business continuity and disaster recovery planning;
systems and network monitoring;
physical security and environmental controls;
customer data privacy;
vendor and third-party service provider management;
risk assessment; and
A cyber-security policy, prepared on at least an annual basis, must be reviewed by a firm’s board of directors and approved by a senior officer.
The CISO of each covered entity is required to develop a report, at least bi-annually, that is presented to the board of directors or equivalent governing body and made available to the superintendent upon request.
“Putting it all down on paper, so that everybody understands what their role is and what are they supposed to do, is really important and often overlooked. A little extra effort in papering it up, and appropriately and training people, can save a lot of headaches later on.”
Douglas Landy, Partner, Milbank
This report must assess the confidentiality, integrity, and availability of the firm’s information systems; detail exceptions to the cyber-security policies and procedures; identify cyber-risks; assess the effectiveness of the cyber-security program; propose steps to remediate any identified inadequacies; and include a summary of all material cyber-security events during the time period addressed by the report.
The cyber-security program should, at a minimum, include penetration testing of information systems at least annually, and vulnerability assessments on a quarterly basis. The program must include audit trail systems that track and maintain data and allow for the complete, accurate reconstruction of all the financial transactions and accounting necessary to detect and respond to a cyber-security event.
Firms must also implement written policies and procedures designed to ensure the security of information systems and non-public data accessible to, or held by, third parties doing business with them. On an annual basis, by Jan. 15, each firm will be required to provide the NYDFS superintendent a written statement certifying that they are in compliance with all requirements. The identification of any material risk of imminent harm relating to its cyber-security program requires that the superintendent be notified within 72 hours.
A limited exemption is included in the rule for firms with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets.
Month-by-month, New York is establishing compliance deadlines. Beginning on August 28, 2017, all entities covered by DFS cyber-security regulation must file certain notifications to the Superintendent including notices of certain cyber-security events within 72 hours from a determination that a reportable event has occurred.
By Feb. 15, 2018, covered entities must file a certificate of compliance stating that the covered entity has been in compliance for the previous calendar year.
Earlier this month, Financial Services Superintendent Maria Vullo announced that the Department of Financial Services (DFS) has launched a new online portal to securely transmit in real time all of the required notifications.
Best practices: how to manage the risk
Can we expect to see other states impose similar requirements and standards? Colorado and Connecticut have already done so, and compliance teams are concerned that, like breach notification laws, cyber-security laws will be varied, inconsistent, and incongruous.
A Q&A ON THE NYDFS rule
New York’s Department of Financial Services has released a “Q&A” document regarding its cyber-security rule for financial firms. A section follows.
When is an unsuccessful attack a cyber-security Event that has or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” under the reporting requirements of 23 NYCRR Section 500.17(a)(2)?
The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cyber-security programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.
The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cyber-security programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cyber-security generally across the industries regulated by the Department.
Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces.
For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.
The Department recognizes that Covered Entities’ focus should be on preventing cyber-security attacks and improving systems to protect the institution and its customers. The Department’s notice requirement is intended to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries.
The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.
Are the New York branches of out-of-state domestic banks required to comply with 23 NYCRR Part 500?
New York is a signatory to the Nationwide Cooperative Agreement, Revised as of December 9, 1997, an agreement among state banking regulators that addresses supervision in an interstate branching environment.
Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches.
In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination.
DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York.
With respect to DFS’s cyber-security regulation, given the ever-increasing cyber-security risks that financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cyber-security protections consistent with the safeguards and protections of 23 NYCRR Part 500.
How must a Covered Entity address cyber-security issues with respect to its subsidiaries and other affiliates?
When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cyber-security policies. Other regulatory requirements may also apply, depending on the individual facts and circumstances.
Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a cyber-security event involves harm to consumers?
Yes. 23 NYCRR 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under 23 NYCRR 500.17(a)(1), a Covered Entity must give notice to the Department of any cyber-security event “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which includes many cyber-security events that involve consumer harm, whether actual or potential.
Is a Covered Entity required to give notice to consumers affected by a cyber-security event?
New York’s information security breach and notification law requires notice to consumers who have been affected by cyber-security incidents.
Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cyber-security program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of 23 NYCRR Part 500.
May a covered entity adopt portions of an Affiliate's cyber-security program without adopting all of it?
A Covered Entity may adopt an affiliate's cyber-security program in whole or in part, as long as the Covered Entity's overall cyber-security program meets all requirements of 23 NYCRR Part 500.
The Covered Entity remains responsible for full compliance with the requirements of 23 NYCRR Part 500. To the extent a Covered Entity relies on an Affiliate's cyber-security program in whole or in part, that program must be made available for examination by the Department.
Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500?
Yes. It is further noted that, in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch's, agency's or representative office's development and implementation of its own cyber-security program or through the adoption of an Affiliate's cyber-security program.
What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.05?
Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems.
There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cyber-security vulnerabilities or malicious activity.
In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.05.
Source: New York Department of Financial Services
“In late March, the Colorado Department of Regulatory Agencies proposed new cyber-security requirements that would apply to investment advisers and broker-dealers subject to the Colorado Securities Act,” says Melinda McLellan, a partner with law firm BakerHostetler.
The Colorado proposal, she says, is more modest in scope than the NYDFS regulations, “but it’s similarly novel in that it’s the first regulation of its specific kind in the nation.”
“At the time it came out, we thought we might see a trend of new state-level data security regulations applicable to the financial services sector,” McLellan says. “Although that has not yet occurred, it still may. To the extent state legislatures and regulatory authorities perceive that the federal government is lagging in terms of prioritizing cyber-security, they may attempt to push things forward at the state level.”
As for escalating compliance with NYDFS’ rule regime, “there is still some confusion for certain types of entities,” McLellan says. “Those that have complex corporate structures or affiliates and subsidiaries are resistant to being swept up by virtue of their connection to the covered entity.”
Financial companies are “woefully underprepared,” says Richard Hudson, vice president of cyber-security at Cordium, a compliance consultancy for the global finance industry. “Many, especially non-U.S. banks with offices in NYC, fail to realize the scope of the new regulation, perhaps because it is coming from a regional authority versus a regulator like the SEC.
Hudson estimates that roughly 80 percent of firms covered by the rule are not yet ready to meet its demands.
In part, IT departmental politics and reporting structures are to blame as CISOs and CIOs often have different priorities when it comes to investing in cyber-security.
His advice: Start with a risk assessment. “Firms need to understand the landscape they are working with. If they don’t know if they have 10 issues, or 100 issues, they don’t know what their maturity level is. If you don’t know, you don’t know where to start.”
Firms should collect all relevant documents and data, putting together a full view of all procedures and incident responses.
“The next step is validation and verification that the firm is actually following the policies they have written down,” Hudson says. “The first thing the regulators will do is ask for documentation. They are going to review it and make you prove that you are doing what you say you are doing.”
Mike Stiglianese, a managing director in BDO Consulting’s technology advisory Services practice, offers similar advice.
A firm cannot just announce: “We haven’t had any breaches, so we must be good,” Stiglianese says. Probing questions must be asked. “Are you doing a risk assessment to understand where you really are and comparing it with the regulation to determine where your gaps are? You need to put plans in place for how you are going to fill those gaps, or put in compensating controls to mitigate them.”
“There will still be intrusions into systems,” says Milbank’s Landy. “Most of them are benign, in the sense that they may have ill-intent, but fail to cause any damage. What is going to be the reaction by NYDFS?”
He compares the situation to money laundering, where firms face substantial fines, consent orders, and outside monitors for “the lack of having an effective program, regardless of any actual money laundering, or terrorist financing.”
His suggestion is for firms to head off those concerns by writing a very thorough and strenuous set of policies and procedures.
“Putting it all down on paper, so that everybody understands what their role is and what are they supposed to do, is really important and often overlooked,” Landy says. “A little extra effort in papering it up, and appropriately and training people, can save a lot of headaches later on.”