On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.
At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.
However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.
“Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is:
- Any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;
- Any information that an individual provides to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, or is about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, or a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual;
- Any information, except age or gender, that is created by, derived or obtained from a health care provider or an individual and that relates to the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family or household, or from the provision of health care to any individual, or from payment for the provision of health care to any individual;
- Any information that can be used to distinguish or trace an individual’s identity, including but not limited to an individual’s name, social security number, date and place of birth, mother’s maiden name, biometric records, any information that is linked or linkable to an individual, including but not limited to medical, educational, financial, occupational or employment information, information about an individual used for marketing purposes or any password or other authentication factor.” [Emphasis added]
The Regulation has detailed content requirements for:
- a cybersecurity program,
- a structured and thorough written cybersecurity policy,
- penetration testing and vulnerability assessments,
- proper maintenance of audit trails,
- access privileges,
- application security,
- cybersecurity personnel staffing and training,
- third party information security policies (including required standard contractual clauses),
- multi-factor authentication,
- encryption of data at rest and in transit (with a grace period under specific circumstances if such encryption is not currently feasible),
- limitations on data retention, training and monitoring, and
- a detailed written incident response plan.
Interestingly, the requirement for an audit trail system appears to cover the implementation and maintenance of systems that allow for recovery from ransomware and advanced persistent threat integrity attacks. This seems beyond standard business continuity planning.
Of particular note, the Regulation appears to adopt the cybersecurity assessment reporting requirements analogous to those in Reg SCI Rule 1003(b). Section 500.04(b) requires a qualified Chief Information Security Officer (a “CISO”) to develop a report, at least bi-annually, assessing, amongst a list of other requirements, “the confidentiality, integrity and availability of the Covered Entity’s Information Systems[…]” to the board or equivalent governing body. The report is required to be made available to DFS. Additionally, Regulation Section 500.17(b) requires an annual report to DFS certifying compliance with the Regulation. In order for a Covered Entity to issue such a report and a certification of this nature one can imagine a structure of internal control testing and reporting similar in nature to the structures developed to comply with Sarbanes-Oxley Rule 404.
Additionally, the Regulation Section 500.17(a) requires notice to the DFS of any Cybersecurity Event (broadly defined) “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” This is analogous to the Reg SCI reporting requirement in Section 1002(b). The Regulation seems to contemplate the interplay between the Regulation and Reg SCI when it states that Cybersecurity Events include “…any Cybersecurity Event of which notice is provided to any government or self-regulatory agency[.]”
This article only scratches the surface of the requirements of the Regulation. It is comprehensive, tightly drafted, and provides a level of regulatory requirement and oversight that has not existed in financial services in the United States as of yet.