There is no shortage of guidance and frameworks for dealing with the risk of data breaches and fending off would-be hackers. What there hasn’t been, until now, is an industry-wide set of rules comparable to what New York’s Department of Financial Services has in store for financial institutions that fall under its oversight.
The agency’s regulations will impose a host of new security, personnel, attestation, and reporting requirements. “This is like a movie where we have been seeing trailers for the past two years,” says Kurt Kicklighter, a partner with the international law firm Dentons. “This is about a state basically coming out and saying that they don’t think the current federal regulation is adequate and sending signals of exactly what direction they want to go in.”
In June, The Federal Deposit Insurance Corporation’s Information Technology Risk Examination program—a risk-based approach for conducting examinations related to information technology and cyber-security risks—was updated for federally insured banks. Nevertheless, as Kicklighter explained during a recent forum on NYDFS’ proposed rule that was sponsored by a global valuation and corporate finance advisor Duff & Phelps, the new rules essentially suggests that it does not care what other cyber-security guidelines are in place; those put forth by New York’s own InTREx examination tool are the baseline for best practices that state regulators will look for in the future.
For example, the NYDFS points to research showing that, despite heightened cyber-security risks, roughly 36 percent of banks still don’t have a chief information security officer. Having a CISO in place and reporting the board is just one of the new requirements financial institutions with a New York presence will face.
The new cyber-rule. “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” New York Governor Andrew Cuomo said when the rule, described as a “first in the nation regulation,” was proposed in September. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
Once final, the regulation will require that banks, insurance companies, and other financial services institutions overseen by the NYDFS establish a cyber-security program; adopt a written cyber-security policy; designate a CISO responsible for implementing, overseeing, and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and non-public information accessible to, or held by, third-parties.
Each covered entity will be required to implement and maintain a written cyber-security policy detailing policies and procedures for the protection of information systems and the non-public Information stored on those systems. At a minimum, they must address:
access controls and identity management;
business continuity and disaster recovery planning;
systems and network monitoring;
physical security and environmental controls;
customer data privacy;
vendor and third-party service provider management;
risk assessment; and
A cyber-security policy, prepared on at least an annual basis, must be reviewed by a firm’s board of directors and approved by a senior officer.
The CISO of each covered entity is required to develop a report, at least bi-annually, that is presented to the board of directors or equivalent governing body and made available to the superintendent upon request. This report must assess the confidentiality, integrity, and availability of the firm’s information systems; detail exceptions to the cyber-security policies and procedures; identify cyber-risks; assess the effectiveness of the cyber-security program; propose steps to remediate any identified inadequacies; and include a summary of all material cyber-security events during the time period addressed by the report.
“One of the IT guys I know has this great saying, ‘You can build 15-foot walls around your IT system, but the hackers are always going to have 16-foot ladders.’ Regardless of the strength of your firewalls and your IT systems, the hackers are incredibly sophisticated and it is very hard to keep up with these guys,”
Craig Neman, Partner, Patterson Belknap
The cyber-security program should, at a minimum, include penetration testing of information systems at least annually, and vulnerability assessments on a quarterly basis. The program must include audit trail systems that track and maintain data and allows for the complete, accurate reconstruction of all the financial transactions and accounting necessary to detect and respond to a cyber-security event.
Firms must also implement written policies and procedures designed to ensure the security of information systems and non-public data accessible to, or held by, third parties doing business with them.
On an annual basis, by Jan. 15, each firm is required to provide the NYDFS superintendent a written statement certifying that they are in compliance with all requirements. The identification of any material risk of imminent harm relating to its cyber-security program requires that the superintendent be notified within 72 hours.
A limited exemption is included in the rule for firms with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets, calculated in accordance Generally Accepted Accounting Principles.
The scramble. While much of what’s in the proposed rule may not be all that surprising, especially when compared to existing guidance and frameworks, compliance may nonetheless be challenging, thanks to a tight implementation timeline. Although the rule was not yet final prior to Thanksgiving Day, there is no indication that its deadlines will change, including an anticipated effective date of Jan. 1, 2017.
That doesn’t give institutions very much time to achieve compliance if they need to make substantial changes, says Tim Newman, an associate with law firm Haynes and Boone. There are also ambiguities in the regulation. For example, what, exactly, constitutes “sufficient” personnel to manage the needs of an institution?
“For the larger institutions, it is yet another regulation for them to certify compliance with, and in that regard, it is a bit burdensome,” Newman says. “Some of the technical requirements, like encryption and multi-factor authentication, may be more far-reaching than what some of the larger institutions are already doing. The smaller institutions—the ones that aren’t quite small enough to fit the exemption thresholds—are going to be the ones to really feel the squeeze.”
New board responsibilities. The good news, given the heightened responsibilities and attestation requirements imposed upon directors, is that many boards have already taken proactive steps to beef up their oversight of cyber-security issues. Newman says the CISO mandate may assist those efforts. “That person will be providing regular reports and keeping the board up-to-speed on what the risks are and what the company has going on with respect to cyber-security,” he says. “There will be a bit of a learning curve, however, and this regulation certainly shifts the conversation from being just an IT issue to a board-level and C-suite concern.”
NYDFS CYBER-SECURITY RULE
The following is from a proposed rule by the New York Department of Financial Services regarding cyber-security measures for financial services companies.
The New York State Department of Financial Services (DFS) has been closely monitoring the ever- growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cyber-criminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cyber threats. DFS appreciates that many firms have proactively increased their cyber-security programs with great success.
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cyber-security programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.
This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.
Boards and CISOs may also need added guidance—or at least the clarity inevitable enforcement will bring to the industry—for how to balance security concerns with reporting obligations.
“We had a lot of those same conversations when the Securities and Exchange Commission’s Division of Corporation Finance issued guidance a few years ago on cyber-security disclosures,” Newman says. “There were questions about how detailed do we need to be in how an event occurred and what our particular risks are. That certainly is a concern. You are potentially providing a blueprint for how an attacker could gain access to information. If there is an incident, there is quite a paper trail now about what the risks and vulnerabilities were.”
Craig Newman, head of the privacy and data security practice at law firm Patterson Belknap, says the new NYDFS rules may become a blueprint for cyber-regulation nationwide.
“The regulation is a major shift in the broader dialogue about cyber-security, board engagement, and accountability,” he says. “While the proposed regulation is far from perfect, it reframes cyber into a matter of corporate governance and moves overall responsibility into the hands of boards of directors. The level of detail in the regulation transcends ‘guidelines’ or ‘suggestions,’ as we’ve seen them and mandates specific, hard and fast rules. And, like Sarbanes-Oxley in the post-2008 credit crisis, the DFS rules require board approval and senior-level compliance responsibility.”
Newman describes the regulation as the first of its sort to “squarely move cyber-security into the boardroom” by requiring board engagement and board-level accountability. “If you think about it, it really is a corporate governance issue because risk committees at public organizations are worried about financial and systemic risk, business and competitive risks, all the different risk elements we traditionally see. If you take a step back, cyber-security is a business risk, so it is not surprising that the NYDFS is treating it as such.”
Boards will have plenty of those questions as they immerse themselves in the threat environment from a governance point of view. What are the best practices? How can they be best prepared to defend against the inevitable? What’s the game plan once they have been compromised?
“There is no doubt that boards are definitely stepping up their game on cyber-security and bringing in experts to not just help them understand the risks, but help them ask the right questions and assess whether the answers are authentic or not,” Newman says.
Third-party concerns. Among the more challenging aspects of New York’s rule is how it extends cyber-security obligations to third parties and vendors of all sizes.
“While only about 3,000 companies are directly affected by the regulation, vendors and business partners of these companies, including law firms, are also required to implement safeguards, extending the reach of the regulation much further than many may suspect,” Newman says. “For any third-party vendor—whether it’s a lawyer or accounting firm or a forensics firm—if they touch a covered institution’s non-public information or IT network, they are going to be covered by this regulation. You are going to be mandated to have certain minimum safeguards in place, including a laundry list of preferred vendor provisions that NYDFS is requiring under the regulation.”
“One of the unintended consequences of this regulation might be to potentially drive some institutions out of New York because the cost of compliance is going to be pretty high,” he adds. “If you have smaller vendors that are providing IT services or smaller law firms, I’m not sure they are going to be able to comply with the third-party vendor rules.”
A compliance plan. The first of the rule’s mandated cyber-security reports, which has to be signed by either the board of directors or a senior officer, must be filed by Jan. 15, 2017.
The NYDFS requirements further position cyber-security as a business imperative, says Erik Laykin, a managing director with Duff & Phelps. “They have taken cyber-security from an IT function and placed it right in the middle of your business. It is now a cornerstone issue that needs to be addressed with visibility at the board-of-director level and throughout the organization.”
“It is going to take every bit of the first six months for even the most sophisticated institutions to implement the regulation,” says Patterson Belknap’s Craig Newman. “Over time, it will be easier to comply as board members and CISOs adapt to the regulation, but it is not going to be a straight road because it is so detailed and prescriptive.”
As to what enforcement of the new rule will look like, uncertainty will be a lingering concern as compliance requirements come to pass. There are also fears that enforcement, and the paper trail provided to New York, could open the door to class-action lawsuits.
The risk landscape, while all this unfolds, will keep evolving.
“One of the IT guys I know has this great saying, ‘You can build 15-foot walls around your IT system, but the hackers are always going to have 16-foot ladders.’ Regardless of the strength of your firewalls and your IT systems, the hackers are incredibly sophisticated and it is very hard to keep up with these guys,” Newman says.
Given the challenging task ahead and regulatory ramp-up, will initial audits by the NYDFS be more in line with information gathering and be less enforcement related, or “are they going to come out of the box and require strict compliance from Day One?” he asks. “We don’t know the answer to that question yet.”