WHAT YOU NEED TO KNOW ABOUT NEW YORK'S PROPOSED CYBER SECURITY REGULATION?
On September 13, 2016, Governor Cuomo proposed new Cyber Security Regulations for New York State Financial Services Firms. As the leader of a small financial institution or insurance organization it's critical that you align with the regulations in order to avoid fines and regulatory consequences. More so, you should align with the regulatory requirements and maintain a culture of cyber security because security incidents and data breaches pose huge risks not only for every bank's customers, but for every Financial Institution and their Director's & Officer's themselves. Between recent FBI Investigations and increasing Shareholder Lawsuits against financial institutions for failing to implement adequate security measures, personal wealth is at stake for Director's and Officer's who do not exercise appropriate oversight of their organization’s cyber risks. If the proposed New York Cyber Security Regulation (23 NYCRR 500) is implemented, it will be effective January 1, 2017 and would be the first-in-nation state provision that creates mandatory cyber security and risk management regulations for banks, insurance companies and all other financial services firms license in New York. by the State Department of Financial Services to establish and maintain a cyber security program designed to protect consumers and ensure the safety and maintenance of New York's financial services industry. The broad scope of the regulation applies to both individuals and entities operating under a license, registration, permit or similar authority under New York banking, insurance or financial services laws, and as such, it's critical that you understand the main requirements of the regulation and work with a Cyber Security Expert to ensure you're both protected and implement the necessary protocols and solutions to meet the minimum standards as set forth below.
WHY DID THE STATE OF NEW YORK PROPOSE THESE REGULATIONS?
In response to increased consumer demand for portability and instant access to financial information through ATMs, mobile devices and public computers, financial services firms have had to respond and adapt to remain competitive through increased reliance on third party vendors and other technology solutions. As a result, financial institutions are faced with new vulnerabilities to both their own systems and through consumer access points, with the Chair of the SEC, Mary Jo White, recently stating that "Cyber Security is the biggest risk facing the financial system."With the prospect of direct access to roughly $150 trillion throughout the global banking industry, it is no surprise that financial institutions are one of the top targets for cyber criminals. In 2014 alone, the FBI reported that more than 500 million records were compromised from financial institutions, costing the industry hundreds of millions of dollars in asset thefts, business interruption, regulatory fines, post-breach expenses and litigation and the unquantifiable loss of reputation. SWIFT, the world’s leading provider of secure financial messaging services connecting more than 11,000 banking organizations across 200 countries, has been under recent scrutiny as hackers stole more than $81 million from the central bank of Bangladesh’s New York Federal Reserve account using their messaging service and an additional $12 Million in theft from a bank in Ecuador. It is no question, that these high profile attacks have ushered a new era for all financial institutions and as a result, cyber security must become a top-priority issue for all boards of directors and it is time to Rethink Cyber Security Management. In light of recent events and the growing threat landscape, the New York State Department of Financial Services (DFS) proposed long-awaited Cyber Security Regulations for Financial Services Companies on September 13, 2016. There is a 45-day public notice and comment period, and unless further notified, the regulation will go into effect January 1, 2017 and you better be prepared!
BACKGROUND ON THE REGULATION:
It's quite clear to see how large this risk is to financial institutions, but you may be asking yourself:
"How did these regulations arise?"
These proposed regulations arose out of a series of surveys that the Department of Financial Services rolled out to to the Banking Sector, Insurance Sector and to 3rd Party Providers. Based on those surveys' findings, the Department identified five critical elements that they believe should be the foundation of a comprehensive cyber security program and are as follows:
A written information security policy;
Security awareness and education and training for employees;
Information security audits;
Risk management of cyber risk (including the identification of key risks and trends);
Incident monitoring and reporting.
Now let's get to what you've been waiting for....Here's what you need to know about New York's proposed cyber regulation....
The proposed regulation is broad in scope. It applies to any individual or entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws, subject to certain limited exemptions for smaller entities. Smaller entities – which the regulation defines as having:
Fewer than 1,000 customers in each of the last three calendar years;
Less than $5 million in gross annual revenue in each of the last three fiscal years; and
Less than $10 million in year-end total assets as calculated by GAAP – are still expected to comply with many of the regulation's requirements.
The broad scope of the proposed regulation continues with its definition of "nonpublic information," which is defined to include any information that an individual provides to a covered entity in connection with seeking or obtaining a financial product or service.
If approved the regulation will
affect all financial license holders
in New York, including bitcoin companies that have been
approved by BitLicense
The proposed regulation's primary purpose is to ensure that all companies, large and small, in the banking, insurance, and financial services industries have a cyber security program in place. While an increasing number of companies already do, the proposed regulation makes this mandatory across-the-board and requires it to be in writing. Among the requirements, the proposed regulation requires companies to have a program that:
Identifies internal/external cyber security risks;
Uses defensive infrastructure to protect covered information;
Detects "cyber security events" such as a breach; and
Fulfills regulatory reporting obligations.
If a company uses a third party to handle its information systems or retain its data, the proposed regulation further obligates the third party to ensure that certain minimum cyber security practices are being met. This includes mandatory periodic assessments and requiring third parties to have written policies that, in some instances, may include warranties that the entity is free from viruses and other security vulnerabilities. This get's quite dicey in Section 500.11 of the Regulation, "Third Party Information Security Policy," which requires each regulated firm to implement written policies and procedures againse the 3rd Parties in which they contract. At a minimum, these policies and procedures must address the following:
The identification and risk assessment of third parties with access to such Information Systems or such Nonpublic Information;
Minimum cybersecurity practices required to be met by such third parties in order for them to do business with the Covered Entity;
Due Diligence processes used to evaluate the adequacy of cybersecurity practices of such third parties; and
Periodic assessment, at least annually, of such third parties and the continued adequacy of their cybersecurity practices.
To further complicate matters, these policies and procedures call for establishing preferred provisions to be included in contracts with third party service providers, including provisions that require your vendors to:
1. Use Multi-Factor Authentication as set forth in Section 500.12 to limit access to sensitive systems and Nonpublic Information;
2. The use of encryption to protect Nonpublic Information in transit and at rest;
3. Prompt notice to be provided to the Covered Entity in the event of a Cybersecurity Event affecting the third party service provider;
4. Identity protection services to be provided for any customers materially impacted by a Cybersecurity Event that results from the third party service provider’s negligence or willful misconduct;
5. Representations and warranties from the third party service provider that the service or product provided to the Covered Entity is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information; and
6. The right of the Covered Entity or its agents to perform cybersecurity audits of the third party service provider.
CHIEF INFORMATION SECURITY OFFICER (CISO):
For larger companies, the proposed regulation will require the designation of a chief information security officer (CISO), who will be tasked with implementing, overseeing, and enforcing the cyber security program. In particular, the CISO will review the cyber security policy annually and bi-annually report on the program to the company's governing body. Again, while such reporting mechanisms may already be in place at some companies, the proposed regulation will make this standard. Rightfuly so, the concern within the regulation is the CISO's obligation to make available the bi-annual report to the NYDFS superintendent upon request.
MULTI-FACTOR AUTHENTICATION & ENCRYPTION:
Until now, multi-factor authentication has been a best-practice, not a requirement. The proposed regulation would require large companies to use multi-factor authentication for access to internal systems or data from an external network or to servers that contain nonpublic information, as well as risk-based authentication for individuals accessing web applications that contain the same. The proposed regulation likewise requires encryption for all nonpublic information, with limited exceptions.
LIMITS ON DATA:
Another key provision of the proposal is its limit on data retention. Companies subject to the regulation will be required to destroy all nonpublic information that is no longer necessary for the provision of products and services for which the information was originally provided. And let me tell you, the definition of nonpublic information is surprisingly broad.
As defined in Sec. 500.01(g) of the proposed regulation, NPI includes all nonpublic electronic information that contains traditional personally identifiable information elements, health information, financial transaction information, and what is generally known as nonpublic financial information under the Gramm-Leach-Bliley Act. It also includes “any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.”
This last item noted above goes well beyond usual definitions of Personally Identifiable Information, personal data or confidential information regulated by privacy and data security statutes or vendor contracts and is certain to generate significant negotiations with vendors when finalizing regulatory- compliant data security exhibits to vendor service agreements.
The proposed regulation also encompasses app security, requiring companies to ensure the use of secure development practices for in-house developed apps.
REPORTING & CERTIFICATION REQUIREMENT:
When a "cyber security event" such as a breach occurs, the proposed regulation requires companies to notify the Department within 72 hours. The regulation further requires companies certify to the Department annually that their cyber security programs are in compliance and maintain all supporting documentation for a five-year period.
STAFF & TRAINING:
The proposed regulation further requires companies to employ cyber security personnel to manage the program, as well as to provide for mandatory and regular cyber security education and training.
New York's proposed cyber security regulation is consistent with the shift towards greater regulation in the cyber security space, particularly for the financial services sector and is likely to set the precident for other states and perhaps the nation to follow. The question is though, are we properly focused?
For some ahead-of-the-curve companies, this "new" cyber security regulation may not seem all that new. I mean JP Morgan spends $500M annual in cyber security alone and they lost 83 million records in 2014. That said, the smaller banks and regulated entities will be hit by the regulation and the mandatory cyber security standards and protocols it's imposing on them. Several of the requirements will require a fiarly significant capital injection, such as the designation of a CISO, although we believe this can be an outsourced CISO, and other items such as ongoing staff training and education, all of which have large cost implications. These costs, however, will still be significantly lower than the costs associated with a data breach. It's the smaller firms that cannot withstand the wrath of a security incident. Nearly 60% of small-to-medium sized businesses are out of business within 6 months of a successful data breach. Although the data breaches comprising customer identity are the ones that make headlines, it is the loss of propretary information and trade secrets that can criple an organization. It's the lifeblood of every company.
Further, the biggest impact of the regulation may be felt on smaller entities becausebunlike their larger counterparts, they do not already have many of the required policies and procedures in place. Under the new regulation, smaller entitles will still be required to have a cyber security program and a written policy in place, limit access privileges to nonpublic information, conduct annual risk assessments, and comply with the notices and certification requirements.
Further, the broad definition of nonpublic information, data limit regulation, and mandatory multi-factor authentication may require some companies to reassess their existing data storage and retention policies. What’s more, because New York is considered a leader for the financial services industry, this regulation may be a harbinger of things to come for other states as well.
"Many organization's across the country must adequately prepare and assume that New York is simply setting the standard for the rest of the nation in cyber security"