In September, the New York Department of Financial Services (“DFS”) proposed new rules (“Rules”) that would require covered financial institutions – banks, insurers, and other institutions regulated by the DFS – to establish and maintain cybersecurity programs to protect consumer data and financial systems from cyberattacks. The Rules may have a very broad impact, if implemented, as they could be the template that other states follow when overseeing their own financial institutions.
The proposed Rules were based on DFS’s survey of nearly 200 banking institutions and insurance companies regarding emerging cybersecurity trends and risks. According to Governor Cuomo, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
Cybersecurity legal experts believe that the Rules may serve as a model for other states to follow. The Rules will not only impact the covered institutions, but also third-party vendors transacting business with covered institutions and would clearly impact covered entities’ contract negotiations with third parties. A 45-day public comment for the Rules period began September 28, 2016 and the Rules have an effective date of January 1, 2017, after which covered entities would have 180 days to comply with the Rules.
Some important aspects the Rules are summarized below:
Cybersecurity Program: A covered entity would be required to design a cybersecurity program addressing “core cybersecurity functions,” such as:
- Identifying and assessing access to non-public information stored on the entity’s information system;
- Protecting the entity’s information systems from “unauthorized access, use or other malicious acts”;
- Detecting, responding and recovering from cybersecurity attempted breach or breach; and
- Fulfilling all regulatory reporting obligations.
Cybersecurity Policy: The Rules would require a covered entity to implement written cybersecurity policies for protecting its information systems, addressing areas such as: information security, data governance, access controls, disaster recovery plans, systems and network monitoring, and incident response. The Rules would require that the policies be reviewed annually by an entity’s board of directors or equivalent governing board and approved by a Senior Officer.
Chief Information Security Officer: The Rules would require an entity to appoint a Chief Information Security Officer to oversee and implement the entity’s cybersecurity program and enforce its cybersecurity policy. However, the entity would be permitted to fulfill this requirement by outsourcing that responsibility to a third-party vendor so a long as the entity: (1) retains responsibility for compliance with this requirement; (2) designates a senior member of the entity to oversee the third party; and (3) requires that the third party maintains a cybersecurity program that meets the requirement of this provision.
Third Party Information Security Policy: The Rules would require a covered entity to establish written policies and procedures to ensure the security of its information systems and non-public information being accessed or held by third parties doing business with the covered entity. The policies and procedures, among other areas, shall address setting minimum cybersecurity standards that the third party should meet to conduct business with the covered entity.
Limited Exemptions: The Rules provide limited exemption for certain covered entities that meet the following three criteria:
- Fewer than 1,000 customers in each of the last three calendar years;
- Less than $5,000,000 in gross annual revenue in each of last three fiscal years; and
- Less than $10,000 in year-end total assets.
This exemption releases such institutions from some, but not all, requirements outlined in the Rules. For example, these exempted institutions would still need to implement the cybersecurity program and policy requirements. See 23 NYCRR 500.
The Rules are the first attempt by a regulating body to implement overarching rules requiring the implementation of cybersecurity policies for financial institutions.