New York Proposes New Cybersecurity Rules for Financial Institutions

By Karen Painter Randall

Recognizing that cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data, the New York State Department of Financial Services (“DFS”) has proposed new rules regarding cybersecurity requirements for financial services companies (Proposed 23 NYCRR 500). The proposed rules have been given an effective date of January 1, 2017. However, covered entities, as defined below, will have 180 days from that day to comply with all of the requirements.

The rules are “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” A “covered entity” is defined as “any Person operating under or required under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” Section 500.18 sets forth limited exemptions for covered entities with: (1) fewer than 1,000 customers in each of the last three calendar years; (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles.

The summary of rules below is meant to be an overview of the requirements.  Please contact Connell Foley LLP for a more detailed analysis as it relates to your enterprise.

Overview of Requirements

A. Cybersecurity Program

Each covered entity is required to establish a cybersecurity program. In designing a cybersecurity program, a covered entity must aim to perform certain core cybersecurity functions such as: (1) identifying the nonpublic information stored on the information systems, the sensitivity of such information, and how and by whom such information may be accessed; (2) using defensive infrastructure and the implementation of policies and procedures to protect such information; (3) detecting cybersecurity events; (4) responding to such events and mitigating any negative effects; (5) recovering from cybersecurity events; and (6) fulfilling regulatory reporting obligations. The program must also include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house applications. Such written procedures must be reviewed, assessed, and updated by the Chief Information Security Officer (see below).

B. Cybersecurity Policy

Each covered entity is also required to implement and maintain a written cybersecurity policy. The policy must be reviewed by the covered entity’s board of directors (or equivalent) and approved by a Senior Officer. If a board of directors or equivalent body does not exist, then the policy shall be reviewed and approved by a Senior Officer. Among other requirements, the policy shall address: (1) information security; (2) data governance and classification; (3) business continuity and disaster recovery planning and resources; (4) systems and network security; and (5) risk assessment.

C. Chief Information Security Officer (“CISO”)

Each covered entity shall designate a qualified individual to serve as the Chief Information Security Officer (“CISO”) who is responsible for overseeing and implementing the cybersecurity program and policy. While the use of third-party service providers is permitted, the covered entity must designate a senior member responsible for oversight. The CISO is required to develop a report (at least bi-annually) to be presented to the Board of Directors. The report is, among other things, required to: (1) assess the confidentiality, integrity and availability of the covered entity’s information systems; (2) identify cyber risks; (3) propose steps to remediate any inadequacies; and (4) include a summary of all material cybersecurity events.

D. Penetration Testing and Audit Trail

They cybersecurity program is required to include annual penetration testing, and quarterly vulnerability assessments. The program is also required to implement and maintain audit trail systems. Among other things, the audit trail system must: (1) track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting; (2) track and maintain data logging of all privileged authorized user access to critical systems; and (3) maintain records produced as part of the audit trail for not fewer than six years.

E. Risk Assessment

At least annually, each covered entity must conduct a risk assessment that shall be documented in writing. The risk assessment must be conducted in accordance with written policies and procedures. The policies and procedures must include, at a minimum: (1) criteria for the evaluation and categorization of risks; (2) criteria for assessing confidentiality, integrity and availability of the information system; and (3) requirements for documentation describing how identified risks will be addressed.

F. Third Party Information Security Policy

Each covered entity must implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to third parties. Such procedures must address, among other things: (1) the identification and risk assessment of third parties; (2) minimum cybersecurity practices required to be met by the third parties; and (3) periodic assessment (at least annually) of such third parties. The policies and procedures must also establish preferred provisions in third-party contracts.

G. Incident Response Plan and Notices to the Superintendent

Each covered entity must establish written incident response plans to promptly respond to and recover from cybersecurity events affecting the confidentiality of information systems. Upon becoming aware of a cybersecurity event that has a reasonable likelihood of affecting the normal operation of the covered entity or affects nonpublic information, the covered entity must notify the superintendent no later than 72 hours after becoming aware of such events.

H. Additional Security Measures

Each covered entity must limit access privileges to nonpublic information to solely those individuals who require such access to perform their responsibilities. The entities must also periodically review the access privileges. A covered entity must employ cybersecurity personnel sufficient to manage cybersecurity risks. Such personnel must attend regular update and training sessions to stay abreast of changing cybersecurity threats. So long as the covered entity complies with the other requirements of the rules, they may use a qualified third party to assist. Finally, each covered entity must also require multi-factor authentication for any individual accessing the covered entity’s internal systems and nonpublic information. Any nonpublic information being held or transmitted must be encrypted.

Click here for a printable PDF of this summary.