Will Other States Follow New York’s Lead in Establishing Cyber Regulations?
Proposed cybersecurity regulations in New York may have some financial institutions (FIs) scrambling to comply. If implemented, the mandatory requirements would be the first-of-their-kind in the US, which may lead other states to impose such regulations on the industry.
Proposed by the New York State Department of Financial Services (NYDFS), the rules will require all FIs chartered in New York to implement cybersecurity measures, ranging from established practices to specific policies and procedures. The draft regulation is open for comment until November 12, and is scheduled to take effect January 1, 2017, if adopted.
Beyond understanding the details of the regulations, FIs should review existing policies and procedures to ensure compliance.
The regulations will apply to organizations operating in the banking, insurance, and other financial services industries under the purview of the NYDFS. Among other things, they would require FIs to establish a cybersecurity program that:
- Identifies cyber risks.
- Implements policies and procedures to protect unauthorized access/use or other malicious acts.
- Encrypts all nonpublic information held or transmitted by the covered entity.
- Detects and responds to cybersecurity events, and provides recovery and restoration.
- Adopts a written cybersecurity policy.
A designated chief information security officer (CISO) would be responsible for implementation, oversight, and enforcement, including:
- Assessing information systems.
- Identifying cyber risks.
- Assessing the effectiveness of the cybersecurity program.
- Proposing steps to remediate any inadequacies identified.
FIs would also be required to ensure the security of information systems and nonpublic information that are accessible to or held by third parties, including:
- Risk identification and assessment.
- Requiring minimum cybersecurity practices for vendors, including enumerated “preferred provisions.”
- Due diligence processes to evaluate the adequacy of their cybersecurity practices.
- Periodic assessments of their cybersecurity practices.
The regulation also requires FIs to:
- Notify the superintendent no later than 72 hours after of any cybersecurity event that may affect the normal operation of the FI.
- Submit annually a written statement certifying their compliance, including maintaining records, schedules, and data supporting the certificate for a period of five years.
Complying With the Regulations
Potential areas of difficulty in complying with the regulations include budgetary and personnel constraints, executive leadership buy-in, and the need to revisit and potentially revamp vendor procurement policies and procedures. Organizations can address some of these issues by:
- Bringing them to the board.
- Overlaying the regulations’ requirements against existing policies and procedures to identify and address potential redundancies and gaps.
- Understanding how insurance such as cyber liability can help mitigate and transfer risks.
If affected by these regulations, you should work now with your insurance advisors to ensure that you understand the proposed regulation and are able to comply.