In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.
The NY DFS’s interest in cybersecurity is well known, but the Cybersecurity Proposal is the most detailed description thus far of how the NY DFS intends to improve cybersecurity standards of the entities it regulates. In the NY DFS’s May 2014 report on cybersecurity risk in the banking industry (updated April 2015) and its February 2015 report focusing on the insurance industry, the NY DFS expressed concerns with the cybersecurity programs of NY DFS-regulated banks and insurance companies, especially with respect to third-party service providers. In the interim as the NY DFS considered how to address cybersecurity through regulations, it expanded the information technology aspects of its examinations of the financial institutions it regulates and has been performing specific cybersecurity risk assessments. The cybersecurity regulatory principles proposed by the NY DFS go well beyond safeguarding customer information, and also cover business continuity, system availability and quality assurance and other operational factors.
The NY DFS’s Cybersecurity Proposal would require that entities subject to regulation (namely, banks and insurance companies, referred to in the proposal as “Covered Entities”) address the following:
1. Chief Information Security Officer and Cybersecurity Policies and Procedures
Covered Entities would need to designate a Chief Information Security Officer (“CISO”) and maintain written cybersecurity policies and procedures (“Cybersecurity Policies and Procedures”) governing several topics such as information security, disaster recovery planning, system and network security, customer data privacy, vendor and third-party service provider management and incident response.
2. Third-Party Service Provider Management
Cybersecurity Policies and Procedures would need to address the security of data that is accessible to or held by third-party service providers. Key terms of contracts for third-party service provider agreement would need to be specified, including provisions specifying technical controls such as multi-factor authentication and data encryption, as well as more procedural protections, such as requiring notice to and indemnification of the Covered Entity in the event of a cybersecurity incident, provisions for cybersecurity audits and contractual representations and warranties.
The NY DFS is particularly concerned with third-party service providers to the extent they have access to sensitive data and to a financial institution’s IT systems themselves, which provides a potential point of entry for hackers. In its Cybersecurity Proposal, the NY DFS emphasizes, “A company may have the most sophisticated cyber security protections in the industry, but if its third party service providers have weak systems or controls, those protections will be ineffective.”
3. Multi-Factor Authentication
Crossing into the specification of a particular technical control, the NY DFS stated that Cybersecurity Policies and Procedures would be required to address multi-factor authentication for accessing web applications and database servers that capture or display confidential information. Multi-factor authentication would be required in order to access a Covered Entity’s internal systems or data from an external network. It does not include in its summary whether an entity could make a showing of a compensating control or demonstrate undue financial or operating burden in the implementation of multi-factor control. As written, it suggests that multi-factor authentication would be an absolute requirement, regardless of cost, operational impacts, technical constraints, or the overall posture of information security protections.
4. Annual Report to Be Submitted to NY DFS
A Covered Entity’s CISO would oversee cybersecurity programs and submit annual reports to the NY DFS that have been reviewed by the Covered Entity’s board of directors regarding the cyber risks to the entity and its cyber security program.
5. Application Security
A Covered Entity would maintain written procedures, guidelines and standards (reviewed and updated by the CISO annually) to ensure the security of all applications that are utilized by the Covered Entity.
6. Cybersecurity Personnel and Intelligence
Covered Entities would employ persons (or use third parties) to manage cybersecurity risks and perform five core cybersecurity functions: identify, protect, detect, respond and recover. Training on such risks would also be mandatory.
Annual penetration testing and quarterly vulnerability assessments would be required. Covered Entities would also maintain an audit trail system that logs privileged user access to critical systems, protects log data stored as part of the audit trail from alteration or tampering, protects the integrity of hardware from alteration or tampering, and logs system events including access and alterations made to audit trail systems.
8. Notice of Cybersecurity Incidents
Covered Entities would be required to “immediately” notify the NY DFS of cybersecurity incidents that have a reasonable likelihood of materially affecting the normal operation of the entity, including any incident that triggers New York’s data breach notification laws, is reported to its Board, or involves the “compromise” of certain protected personal information. Whether the risk of harm to the individuals involved could be considered was not mentioned, nor was any specification of a specific time period consistent with the “immediate” notification requirement.
The NY DFS’s Proposal will likely be discussed at the upcoming National Meeting of the NAIC in National Harbor, Maryland in mid-November 2015. As we noted in a prior post, the NAIC will consider adopting a cybersecurity “Bill of Rights” previously adopted by its Cybersecurity Task Force on October 14, 2015. The “Bill of Rights” proposes rights for insurance consumers relating to the protection of their personal information by entities regulated by state insurance departments.