In my previous post, I reviewed the New York State Department of Financial Services’ (NYDFS) findings and conclusions of survey results of financial institutions and insurers’ programs, costs, and future plans related to cybersecurity.
Anthony J. Albanese – Acting Superintendent of Financial Services – writes in a November 9, 2015 letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members that these conclusions have demonstrated a need for new cybersecurity regulations for financial institutions.
Such “robust regulatory action” would be a coordinated effort between state and federal agencies to create a thorough cybersecurity framework addressing critical concerns as well as covering New York-specific interests.
Potential regulations implemented by the NYDFS would require covered financial entities to meet specific cybersecurity obligations in the following areas:
- Cybersecurity policies and procedures;
- Third-party service provider management;
- Multi-factor authentication (i.e., requiring covered entities to apply such authentication to customer, internal, and privileged access to confidential information as well as any access to internal systems or data from an internal network);
- Chief Information Security Officer (i.e., covered entities will be required to have a CISO responsible for overseeing and implementing a cybersecurity policy, among other duties);
- Application security (i.e., covered entities must have and set forth written policies, procedures, and guidelines to ensure the security of all applications utilized by the entity which need to be updated annually by the CISO);
- Cybersecurity personnel and intelligence (i.e., covered entities will need to hire cybersecurity personnel who can handle certain cyber risks and perform core functions of “identify, protect, detect, respond and recover,” as well as providing mandatory training to such personnel);
- An audit function; and
- Notice of cybersecurity incidents.
Some of these proposed requirements are set forth in more detail below.
Cybersecurity Policies and Procedures
Covered entities, Albanese writes, would need to implement and maintain written cybersecurity policies and procedures addressing the following areas:
(1) information security;
(2) data governance and classification;
(3) access controls and identity management;
(4) business continuity and disaster recovery planning and resources;
(5) capacity and performance planning;
(6) systems operations and availability concerns;
(7) systems and network security;
(8) systems and application development and quality assurance;
(9) physical security and environmental controls;
(10) customer data privacy;
(11) vendor and third-party service provider management; and
(12) incident response, including by setting clearly defined roles and decision making authority.
Third-party Service Provider Management
Albanese wants covered entities to ensure that third-party cybersecurity policies and procedures are implemented. Third-party service providers who hold or have access to sensitive data or systems will need to adhere to certain contractual terms, including the following provisions:
(1) the use of multi-factor authentication to limit access to sensitive data and systems;
(2) the use of encryption to protect sensitive data in transit and at rest;
(3) notice to be provided in the event of a cyber security incident;
(4) the indemnification of the entity in the event of a cyber security incident that results in loss;
(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and
(6) representations and warranties by the third party vendors concerning information security.
Annual penetration testing as well as quarterly vulnerability assessments will be a new requirement for covered entities. Such entities will also be responsible for maintenance of an audit trail system that perform the following functions:
(1) logs privileged user access to critical systems;
(2) protects log data stored as part of the audit trail from alteration or tampering;
(3) protects the integrity of hardware from alteration or tampering; and
(4) logs system events, including access and alterations made to audit trail systems.
Notice of Cybersecurity Incidents
Covered entities, Albanese writes, will need to immediately notify the NYDFS of any cyber security incident that is reasonably likely to materially affect such entity’s normal operation, including a cybersecurity incident
(1) that triggers certain other notice provisions under New York Law;
(2) of which the entity’s board is notified; or
(3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.
These potential requirements are subject to further review and revision by the NYDFS, and there is no timetable for when these requirements will become the law of the land in New York. It will be interesting to see if and when covered entities begin implementing these requirements in advance of a legal obligation to do so. Will other states’ regulatory agencies enact similar regulations modeled on the NYDFS proposals? Look for developments on this topic in the news and on this website.
Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.