03 November 2016 - Post by:Kurt Wolfe
In September, New York’s Department of Financial Services (DFS) proposed a new first-in-the-nation regulation that would require banks, insurance companies, and other financial services institutions regulated by DFS (‘covered institutions’) to ‘establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry’. In this article, we discuss the need to perform a robust gap analysis of your existing cybersecurity framework and the importance of understanding the regulation’s notice requirements.
The Proposed Cybersecurity Regulation
Broadly, the DFS cybersecurity regulation would require covered institutions to develop a cybersecurity program designed to:
- identify risks;
- protect systems and non-public information;
- detect cybersecurity events;
- respond to cybersecurity events;
- recover from cybersecurity events; and
- meet certain reporting obligations.
The proposed regulation would require covered institutions to adopt written policies and procedures and designate a Chief Information Security Officer (who may be a vendor) with responsibility for their implementation. The proposed regulation sets out minimum standards with the goal of providing sufficient flexibility to allow covered institutions to keep pace with technological advances.
The proposed regulation appears to draw on key elements of existing cybersecurity guidance, including recommendations from the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity and Critical Infrastructure Working Group and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”). In particular, the DFS proposal incorporates the five core elements of the NIST Framework: Identify, Protect, Detect, Respond, and Recover.
By incorporating elements of existing cybersecurity guidance, the DFS proposal would make mandatory a number of previously noncompulsory best practices. And while many financial services firms have implemented cybersecurity policies and procedures guided by those best practices, cybersecurity programs vary greatly from institution to institution.
Gap Analysis Recommended
For covered institutions, it will be critically important to conduct a robust gap analysis to identify differences between their existing cybersecurity governance framework and the standards set out in the proposed DFS regulation. Parts of the gap analysis will be relatively straight-forward:
- Does your firm have a CISO?
- Do you have policies and procedures designed to ensure the security of information accessible to third-party service providers?
- Do your policies and procedures require annual review and testing?
But other aspects of the proposed regulation are more technical in nature and may require expert advice to assess the adequacy of covered institutions’ cybersecurity framework, including specific authentication and encryption requirements.
A robust gap analysis and curative measures may be time-consuming. But we would encourage covered institutions to begin assessing their systems, policies and procedures now to reduce the risk of noncompliance with the final DFS rule.
We would also encourage covered institutions to take note of the notice requirements set out in the proposed regulation and develop plans for meeting their requirements. The proposed regulation includes two key notice provisions that are a marked change from the currently murky reporting requirements applicable to covered institutions.
First, a covered institution must notify the DFS within 72 hours after it becomes aware of: (1) any cybersecurity event that it reports to another government or self-regulatory agency; (2) any cybersecurity event involving the actual or potential unauthorized tampering with, access to or use of nonpublic information; or (3) any material risk of imminent harm relating to its cybersecurity program. This time frame is likely to be challenging for an institution to meet, as similar state law notice requirements have proven, because in the initial stages of a cybersecurity breach investigation, it may be difficult to determine whether and what information in fact has been accessed, and therefore the obligation to report may be unclear.
Second, the proposed regulation requires covered institutions to certify annually that they are in compliance with the standards set out in the proposed regulation. The certification obligation will require that covered institutions have designed and implemented the required testing program far enough in advance of the deadline for any areas of noncompliance to be remedied.
Covered institutions would be well advised to take steps to now to evaluate their current systems against those required by the DFS cybersecurity regulation. The proposed regulation is currently in a public comment period, but the regulation warrants attention before a final rule is issued.
We will continue to track and report on further developments relating to the proposed DFS cybersecurity regulation.
A&O has an experienced team of cybersecurity experts dispersed throughout our offices. For information on A&O’s cybersecurity practice and links to a number of helpful resources, please visit out Cybersecurity microsite.