In early September, New York Governor Andrew Cuomo introduced new regulation that would make the state the first in the nation to enforce a cybersecurity program for financial institutions. While some have compared the regulation to the FFIEC (Federal Financial Institutions Examination Council)’s Cybersecurity Assessment Tool and guidelines, the proposed regulation would actually go much farther in its quest to ensure all financial institutions in NY are prepared for and are doing their best to prevent cyber attacks.
What’s in the Proposed Regulation
The proposed regulation takes the guidelines from the FFIEC a bit farther by imposing a reporting obligation and requiring the formal appointment of a CISO to be held accountable for implementing and reporting on the cybersecurity program.
Much like the FFIEC’s five preparedness functions:
- Risk management and oversight.
- Threat intelligence and collaboration.
- Cybersecurity controls.
- External dependency management.
- Cyber incident management and resilience.
New York’s proposed regulation will require financial institutions to create a cybersecurity policy with six key components:
- Identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the Covered Entity’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed.
- Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts
- Detect cybersecurity Events.
- Respond to identified or detected Cybersecurity Events to mitigate any negative effects.
- Recover from Cybersecurity Events and restore normal operations and services.
- Fulfill all regulatory reporting obligations.
Per McGuireWoods LLP, a couple other important pieces in the proposed regulation include the notification requirement within 72 hours of a breach to DFS, but not to customers, and the lack of a requirement or even recommendation to acquire cybersecurity insurance. This is notable, as the DFS was the first financial regulator in the country to include cybersecurity insurance as part of its examinations in late 2014.
Who Does This Apply To
The regulation applies to all financial services companies (including banks and insurance agencies) regulated by the State Department of Financial Services, with very few exceptions, listed below:
- Fewer than 1000 customers in each of the last three calendar years
- Less than $5,000,000 in gross annual revenue in each of the last three fiscal years
- Less than $10,000,000 in year-end total assets.
It is unclear, however, if the regulation will also apply to federally chartered institutions, since the language around “covered entities” was left quite vague, per Harris Beach.
Commentary From Industry Associations
Doug Johnson of the American Bankers Association said in an interview with Homeland Preparedness News that the NY regulation was “fairly consistent with what our responsibilities are at the federal regulatory level,” though they are seeking clarification on a couple pieces of the regulation, including:
- The process of cybersecurity certification, and what happens when a bank is found not compliant.
- Multi-factor authentication and the opportunity for a bank to determine where it is and is not needed.
- The breach notification process.
The ABA has been working with the Department of Financial Services in an attempt to harmonize the different regulations and data breach notification policies from state to state and even nationally, arguing the need for a national law to eliminate the confusion.
What This Means for Rest of Country
It’s notable that the first state to make a foray into cybersecurity regulation is NY, due to its status as a financial center. In a press release, Governor Cuomo stated "New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Because of New York’s influence, this is unlikely to be last we hear of a state regulatory body moving into the cybersecurity space. In fact, we’d be willing to bet that several others will soon follow suit, potentially paving the way for a national standard after all.
In the meantime, financial institutions looking to get ahead on risk management and customer security can check out our tear sheet on how Rippleshot’s Sonar product can help identify risks and confirmed breaches of cardholder information early and accurately: