On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks. The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will become effective January 1, 2017.
The proposed regulation would impose several obligations on “covered entities,” which the proposed regulation defines as financial institutions regulated by New York’s banking, insurance, or financial services laws, such as banks and insurance companies. Specifically, the entities must annually submit to the Superintendent of Financial Services a written certification that the entity complies with the following requirements of the regulation:
(1) Notify the Superintendent of Financial Services of Cyber Events
Covered entities will be required to notify the Superintendent of any cybersecurity event with a “reasonable likelihood of materially affecting the [entity’s] normal operation or that affects [n]onpublic [i]nformation” within 72 hours of becoming aware of the event. A “cybersecurity event” is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an [i]nformation [s]ystem or information stored on such [i]nformation [s]ystem.”
(2) Establish a Cybersecurity Program
Covered entities will be required to assess their specific risk profile to design a cybersecurity program that performs the following cybersecurity functions:
- Identification of internal and external cyber risks;
- Implementation of policies and procedures to protect against unauthorized access or malicious acts;
- Detection of cybersecurity events;
- Mitigation of any identified cybersecurity events;
- Recovery from cybersecurity events; and
- Fulfillment of regulatory reporting requirements.
(3) Adopt a Cybersecurity Policy
Covered entities will be required to implement and maintain a written policy setting forth the procedures for protecting its information systems. The policy must address, at a minimum, the following fourteen areas:
- Information security;
- Data governance and classification;
- Access controls and identity management;
- Business continuity and disaster recovery planning and resources;
- Capacity and performance planning;
- Systems operations and availability concerns;
- Systems and network security;
- Systems and network monitoring;
- Systems and application development and quality assurance;
- Physical security and environmental controls;
- Customer data privacy;
- Vendor and third-party service provider management;
- Risk assessment; and
- Incident response.
(4) Appoint a CISO
Covered entities will be required to designate a Chief Information Security Officer (“CISO”), who will be responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. The CISO is required to report to the entity’s governing body, at least bi-annually, regarding the assessed integrity of the information systems, exceptions to the entity’s cybersecurity policies and procedures, cyber risks to the entity, the effectiveness of the cybersecurity program, proposed remediation of deficiencies in the program, and all material cybersecurity events in the time period covered by the report. The regulation contemplates that entities may fulfill the CISO requirement using third-party service providers.
(5) Require Third-Party Service Providers to Secure Certain Information
Covered entities who do business with third-party service providers will be required to have policies and procedures in place to ensure the security of information systems and nonpublic information accessible by, or held by, those third parties. Such policies must set forth the identification and risk assessment of third-party providers, the minimum security requirements third-party service providers must meet, due diligence processes used to assess the cybersecurity practices of the third parties, and terms for annual periodic assessment of the third party’s cybersecurity practices.
(6) Implement Certain Controls
Covered entities will be required to deploy certain controls on its information systems—including, among others, multi-factor authentication for remote access, privileged user access, and web-based access to nonpublic information; privileged access limitations; and encryption of all nonpublic information at rest and in transit.
(7) Test and Monitor Information Systems
Covered entities will be required to include in their cybersecurity program a provision for annual penetration testing and vulnerability assessments of the entity’s information system(s). They must also implement and maintain an audit trail that captures and stores specific types of information for no less than six years.
(8) Conduct Cyber Awareness Training
Covered entities will be required to employ and regularly train cybersecurity personnel to manage the cybersecurity program and policies. The cybersecurity personnel must stay abreast of changing cybersecurity threats.
The proposed regulation does provide for limited exemptions that are available for smaller businesses—such as businesses with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years; and (iii) less than $10 million in year-end total assets (calculated in accordance with GAAP).