On November 9, 2015, the New York State Department of Financial Services (NYDFS) sent a memorandum entitled Potential New NYDFS Cyber Security Regulation Requirements to several federal and state financial services regulators, including banking, securities and insurance regulatory, administrative and supervisory bodies.
These potential regulations are based on results of two sets of surveys of financial entities about their “cyber security programs, costs and future plans.” NYDFS surveyed 150 banks and 43 insurance companies. The results of the May 2014 banking industry survey are here and an update to that survey, dated April 2015, is found here. The results of the February 2015 insurance industry survey are here.
As the memo noted:
Several broad conclusions and concerns . . . emerged from these reports and the risk assessments (the latter of which are still ongoing), as well as from the dozens of discussions that the Department has held with its regulated entities, cyber security experts, and other stakeholders. First, although financial institutions have taken significant steps to bolster cyber security efforts in recent years, companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats. Cyber security programs must remain dynamic to keep pace with this fast-changing landscape. Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers. A company may have the most sophisticated cyber security protections in the industry, but if its third party service providers have weak systems or controls, those protections will be ineffective. Finally, the scale and breadth of the most recent breaches and incidents demonstrate that cyber security is a global concern that affects every industry at all levels.
These potential regulations would require covered entities to maintain a cyber security program designed to perform core cyber security functions with specific requirements in at least the following eight categories:
- Cyber Security Policies and Procedures;
- Third-party Service Provider Management;
- Multi-Factor Authentication;
- Chief Information Security Officer;
- Application Security;
- Cyber Security Personnel and Intelligence;
- Audit; and
- Notice of Cyber Security Incidents.
NYDFS issued the memo in part because it “believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.”
In addition to these potential regulations, NYDFS has already instituted several actions. For example, NYDFS “expanded its information technology examination procedures to focus more attention on cyber security. As part of this revised examination process, the Department began conducting risk assessments of its financial institutions in late 2014 and early 2015.” NYDFS issued letters to companies “to gather information about industry-wide risks and vulnerabilities, as well as to help prioritize the scheduling of examinations.”
Goldberg Segalla will continue to monitor this story and advise of any updates.