New York State Proposes New Cybersecurity Regulations
In response to a growing number of cyber-attacks on financial institutions, Governor Cuomo and the New York State Department of Financial Services announced proposed regulations that would require banks, insurance companies, and other financial service providers to design a cybersecurity policy and implement a cybersecurity program for the protection of critical information systems and “nonpublic information.” Through these proposed regulations, New York now joins a growing number of state and federal authorities that have identified “minimum standards” that companies should adopt to protect data from security breaches. The regulations offer some flexibility, but overall require entities to adopt specific measures. Governor Cuomo has hailed the regulations as a “first-in-the-nation.” Others have complained that the regulations are inflexible and onerous.
Scope of the Proposed Regulations
The proposed regulations would apply to a broad array of companies, with certain exceptions, and target a wide range of information held by them. The regulations would apply to banks, insurance companies, and other financial institutions that operate or are required to operate under New York’s banking laws, insurance laws, or financial services laws (Covered Entities). The regulations contain a limited exception to compliance for smaller entities that meet certain criteria, such as fewer than 1,000 customers in three calendar years. But unless the entity falls within one of three narrow exceptions, it must comply with the regulations.
The regulations focus on information technology systems maintained by an entity and the protection of customer information that is stored on such systems. They apply to “Nonpublic Information” defined to include business-related information that, if affected, would cause a materially adverse impact to business operations; any information that an individual provides to an entity in connection to seeking or obtaining a financial product or service; and any information that can be used to distinguish or trace an individual’s identity. This definition is broader than the definition of personally identifiable information traditionally used in state data breach notification laws.
Requirements of the Proposed Regulations
Under the regulations, Covered Entities are required to establish a cybersecurity program and implement a cybersecurity policy. The cybersecurity program must be designed to “ensure the confidentiality, integrity and availability” of the entity’s information systems and must perform specific “cybersecurity functions.” These functions include identifying internal and external cyber risks; detecting cybersecurity events; and responding to identified cybersecurity events. In turn, the cybersecurity policy must be in writing and set forth the Covered Entity’s policies and procedures for protecting its information systems and nonpublic information stored on those systems. The policy must address specific areas, including business continuity/disaster recovery and management of third-party vendors. A Covered Entity’s board of directors must review, and the senior officer(s) approve, the cybersecurity policy on an annual basis.
Further, a Covered Entity must appoint a Chief Information Security Officer (CISO), responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. At least bi-annually, the CISO must provide a report to the board of directors that assesses the state of the entity’s information systems and analyzes the effectiveness of the cybersecurity program. A Covered Entity can use a third-party service provider to meet this requirement, but the entity is still responsible for compliance with the regulations.
The regulations also address third-party service providers and would require Covered Entities to implement written policies and procedures that ensure the security of information systems and nonpublic information accessible to, or held by, third-party vendors or providers. Again the written policies and procedures must address specific areas, such as minimum measures that the third party must employ toward the protection of data in order to do business with the Covered Entity. A Covered Entity must assess the adequacy of the third-party’s cybersecurity practices on an annual basis.
Other specific requirements that Covered Entities must institute as part of their cybersecurity program include:
- Penetration testing and vulnerability assessments of information systems on an annual and quarterly basis, respectively;
- Implementation and maintenance of an audit trail system;
- Limitation of access privileges to necessary individuals and periodically reviewing such access privileges;
- Development of a written application security procedure for both the development of in-house applications and the assessment of external applications;
- Annual risk assessments of information systems in accordance with a set of written policies and procedures;
- Employment and adequate training of cybersecurity personnel;
- Multi-factor authentication for remote access of internal systems and individual access of web applications that capture, display or interface with nonpublic information;
- Timely destruction of nonpublic information that is no longer necessary;
- Regular cybersecurity awareness training sessions for all personnel;
- Encryption of all nonpublic information held by the entity, both in transit and in rest; and
- A written incident response plan designed to promptly respond to, and recover from, a cybersecurity event.
The regulations also provide notification requirements which require that Covered Entities notify the New York Superintendent of Financial Services of any “cybersecurity event” that has a “reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The New York Superintendent of Financial Services oversees the Department of Financial Services and has the authority to enforce New York’s banking and insurance laws. A Covered Entity must notify the superintendent of the cybersecurity event “as promptly as possible but in no event later than 72 hours after becoming aware of a “Cybersecurity Event,” defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse” either an information system or information stored on such as system. Critically, entities that only notify the superintendent of a confirmed data breach will not be in compliance. Covered Entities also would have to report any unauthorized attempt to access an information system, even if the entity successfully thwarted such an attempt.
Further, Covered Entities would be required to annually submit a written certification of compliance to the superintendent, who has the authority to enforce the regulations. The proposed regulations are subject to a 45-day notice and public comment period before its final issuance. As of today, the regulations will become effective on January 1, 2017. Covered Entities would be required to submit a certification of compliance to the superintendent commencing January 15, 2018.
New York State officials have described the regulations as “first-in-the-nation” and “groundbreaking.” To develop the proposed regulations and gain insight into the banking industry’s efforts to address cybersecurity, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies. The department describes the regulations as not “overly prescriptive” and flexible enough to adapt to new threats and advances in technology.
However, the regulations are highly unusual and potentially burdensome in the amount of specific measures they require entities to adopt and maintain. Other government authorities have identified “minimum standards” that companies should adopt to prevent data breaches and protect private information without requiring the number of measures that New York proposed regulations would do here. For example, last February, the Attorney General of California published a data breach report that identified specific practices that would constitute “reasonable security measures” in compliance with California’s information security statute. For more information on the California Data Breach Report 2012-2015, click here. These practices included many of the same actions that the New York Department of Financial Services’ regulations require, such as multi-factor verification and encryption of data in transit. However, the California Attorney General only offered these actions as “recommendations,” not requirements. Nor did the California Attorney General impose new reporting requirements, certification requirements or other measures. Critics believe that these proposed regulations will be onerous and taxing for companies to institute, particularly smaller banks, credit unions and insurance companies that do not satisfy the regulation’s exceptions. They also believe that the proposed regulations do not allow an entity to shape its cybersecurity program and cybersecurity policy according to the particular threats it perceives.
Regardless of whether these regulations are changed or softened, companies - including those outside New York and the financial industry – should take note of the larger trend. New York’s proposed regulations may be incredibly specific and strict, but other government authorities are recognizing that there are minimum standards that companies should be adopting to protect its information systems and customers’ private information. While most authorities are framing these actions as “guidelines” or “recommendations,” they are part of a larger movement recognizing that companies have a responsibility to protect the private information of customers and the critical information systems on which these customers rely. In other words, minimum standards for cybersecurity are not going away any time soon and companies should be building a cybersecurity program and policy that satisfy these standards.
For additional information, contact Josh Mooney (215.864.6345; firstname.lastname@example.org), Jay Shapiro (212.714.3063; email@example.com), Laura Schmidt (215.864.6333; firstname.lastname@example.org), or another member of the Cyber Law and Data Protection Group.