By Byron V. Acohido
Banks and other financial services companies wishing to do business in the state of New York will soon have to prove they are using first-class cybersecurity policies and practices.
Officials at the New York State Department of Financial Services (NYDFS) were so concerned that a catastrophic network hack in the financial sector could have dire consequences that they took it upon themselves to draft a far-reaching set of mandatory cybersecurity requirements.
Two years in the making, it is called the Cybersecurity Requirements for Financial Services Companies. And it is set to take effect Jan. 1.
Heading off hacks
A comment period on the draft proposal closed Nov. 14. Officials now are reviewing the comments, and modifications could yet be made. However, if the rules as drafted stay mostly intact, as expected, we could witness a paradigm shift driven by hefty new regulations.
New York’s effort to compel financial services companies to do much better at cybersecurity goes miles further than California’s pioneering data loss disclosure law. In 2003, California lawmakers required companies that lose personal information to inform the individuals whose data has gone missing. And with the U.S. Congress in perpetual gridlock, 46 other states followed suit and passed similar data loss notifications laws.
It’s going to be fascinating to see if the cycle repeats itself. “There have been some articles from the insurance sector welcoming regulation,” says Richard Borden, a cybersecurity attorney at Robinson & Cole. “Others see this as overbearing, especially for smaller entities. It’s going to require a large compliance regime, and smaller companies are going to have a lot of trouble with that, from an operational and a technical standpoint.”
Long and detailed checklist
Under New York’s new rules, an institution must establish a program capable of ensuring the confidentiality and integrity of its information systems. The scope of the new rules is broad, and the specific requirements are very detailed. Minimum requirements call for programs that:
• Identify internal and external cyber risks
• Use defensive infrastructure
• Implement a cybersecurity policy to protect nonpublic information from unauthorized access
• Detect and respond to cybersecurity events while ensuring resumption of normal operations following such events
• Develop written procedures to assess and test the security of externally developed applications
• Develop written policy and procedures for timely destruction of nonpublic information
• Establish risk-based policies, procedures and controls to monitor activity of authorized users and detect unauthorized access
• Establish a written incident response plan
• Provide for annual penetration testing and quarterly vulnerability assessments of information systems
• Establish an audit trail system that will allow for complete reconstruction of all financial transactions following a cybersecurity event
• Designate a qualified individual to serve as chief information security officer (CISO) or outsource the function to a third-party provider.
Responsibility shifts
“Your cybersecurity policy has to be signed off not only by your chief information security officer, but also by the heads of operations, management, compliance and risk,” Borden notes. “It changes who is responsible for cybersecurity at the institution. It actually forces cybersecurity into the entire C-Suite, and then pushes it up to the board.”
New York officials did not just reach into thin air to come up with these rules. They went to the National Institute of Standards and Technology (NIST) and borrowed the cybersecurity policies and practices that the U.S. government requires all federal agencies to adhere to.
NIST frameworks are robust, as they are the work of a cross-section of the best-and-brightest subject matter experts. Trouble is, outside of the federal government, NIST recommendations are typically viewed as benchmarks to strive for, strictly on a voluntary basis.
Keep in mind, New York’s new rules affect not just banks, but also insurance companies, mortgage brokers and asset managers domiciled in New York. “This affects 1,900 companies with $2.9 trillion in assets under management,” Borden says.
Borden says he will not be surprised if officials concede to give companies more than 180 days to come into compliance, as called for in the draft. “You have to put seven policies in place, define your controls, test them, and do an assessment that can be reported up to the board,” Borden says. “I don’t think that can happen in 180 days, even for institutions that are mostly ready. I think they may have to push the date out, but I don’t think they’re going to materially weaken the requirements.”
