NY’s financial regulator will oversee new cyber-security rules

New York state has announced a new, “first-in-the-nation regulation…to protect [it] from the ever-growing threat of cyber-attacks.” The proposed regulation requires banks, insurance companies, and other financial services institutions regulated by its Department of Financial Services to establish and maintain a cyber-security program designed to protect consumers and ensure the safety and soundness of the financial services industry.

The proposed regulation requires regulated financial institutions to establish a cyber-security program; adopt a written cyber-security policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

Each covered entity will be required to implement and maintain a written cyber-security policy setting forth its policies and procedures for the protection of information system and the nonpublic Information stored on those systems. The policy, at a minimum, must address:

information security;

data governance and classification;

access controls and identity management;

business continuity and disaster recovery planning and resources;

capacity and performance planning;

systems operations and availability concerns; systems and network security;

systems and network monitoring;

systems and application development and quality assurance;

physical security and environmental controls;

customer data privacy;

vendor and third-party service provider management;

risk assessment; and

incident response.

The cyber-security policy, prepared on at least an annual basis, must be reviewed by a firm’s board of directors, or equivalent governing body, and approved by a senior officer.

Each covered entity must designate a qualified individual to serve as Chief Information Security Officer, responsible for overseeing and implementing the cyber-security program and enforcing its cyber-security policy. To the extent this requirement is met using third party service providers, the firm will: retain responsibility for compliance; designate a senior executive or employee responsible for oversight of the provider; and require the provider to maintain a cyber-security program that meets the regulation’s requirements.

The CISO of each entity would be required to develop a report, at least bi-annually, that is presented to the board of directors or equivalent governing body and made available to the superintendent upon request. It must: assess the confidentiality, integrity and availability of the firm’s information systems; detail exceptions to the cyber-security policies and procedures; identify cyber risks; assess the effectiveness of the cyber-security program; propose steps to remediate any identified inadequacies; and include a summary of all material cyber-security events during the time period addressed by the report.

The cyber-security program should, at a minimum, include penetration testing of information systems at least annually, and vulnerability assessments on a quarterly basis. The program must include implementing and maintaining audit trail systems that:

track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to detect and respond to a cyber-security event;

track and maintain data logging of all privileged authorized user access to critical systems;

protect the integrity of data stored and maintained as part of any audit trail from alteration or tampering;

protect the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction;

log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems;

and maintain records produced as part of the audit trail for at least than six years.

As part of cyber-security programs, each firm must limit access privileges to information systems that provide access to nonpublic Information solely to individuals who require it to perform their responsibilities. Access privileges should be periodically assessed. Firms must also implement written policies and procedures designed to ensure the security of information systems and nonpublic data accessible to, or held by, third parties doing business with them.

Firms will be expected to: require multi-factor authentication for any individual accessing internal systems or data from an external network; require multi-factor authentication for privileged access to database servers that allow access to nonpublic Information; and require risk-based authentication in order to access web applications that capture, display or interface with nonpublic Information.

As part of its cyber-security program, each firm will be required to include policies and procedures for the timely destruction of any nonpublic Information that is no longer necessary for the products or services it was provided for, except when the information is required to be retained by law or regulation.

Training is also a requirement in the proposed regulation. Firms must require all personnel to attend regular cyber-security awareness training sessions that are updated to reflect risks identified in the annual assessment.

On an annual basis, by Jan. 15, each firm is required to provide the NYDFS superintendent a written statement (an example is provided as an addendum to the rule proposal) certifying that they are in compliance with all requirements.

To the extent areas, systems, or processes that require material improvement, updating, or redesign are uncovered, firms are expected to document the remedial efforts planned and underway. The identification of any material risk of imminent harm relating to its cyber-security program requires that the superintendent be notified within 72 hours.

The proposed regulation “includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.”

A limited exemption is included in the rule for firms with fewer than 1000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles. In the event that a firm, as of its most recent fiscal year end, ceases to qualify for the exemption it has 180 days from the fiscal year end to comply with all requirements.

Prior to proposing this new regulation, NYDFS surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry's efforts to prevent cyber-crime. Officials also met with a cross-section of those surveyed, as well as cyber-security experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors. The findings from these surveys led to three reports which helped to inform the rulemaking process.

The proposal is subject to a 45-day notice and public comment period before its final issuance. Covered Entities shall have 180 days from the effective date of the regulation to comply.