On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR 500 §§:

  • 04(b): Chief Information Security Officer (“CISO”) – Each Covered Entity must have designated a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.
  • 05:  Penetration Testing and Vulnerability Assessments – The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s risk assessment. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessment.
  • 09: Risk Assessment – Each Covered Entity shall conduct a periodic risk assessment of the Covered Entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented.
  • 12: Multi-Factor Authentication –  Based on its risk assessment, each Covered Entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access. Multi-factor authentication shall be used for any individual accessing the Covered Entity’s internal networks from an external network.
  • 14(b): Training and Mentoring – Each Covered Entity shall provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment.

A PDF containing detailed descriptions for each requirement is found here.

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”).

The Regulation, which became effective on March 1, 2017, is touted as being the first cybersecurity regulation in the nation, requiring significant operational, technology and reporting changes in order for entities covered by the Regulation (Covered Entities) to comply. Covered Entities are required to electronically file a certification statement through the DFS cybersecurity portal confirming the company’s cybersecurity program met the Regulation’s requirements for the prior calendar year. The deadline is today. Have you filed?

For more information on the Regulation and additional upcoming deadlines, click here.

On March 1, 2017, New York’s Cybersecurity Regulation (23 NYCRR Part 500)[1] became effective.  The regulation is the first of its kind in the nation and requires certain companies, including banks, insurance companies and other financial services institutions regulated by the Department of Financial Services (“Covered Entities”), to have:

  • a cybersecurity program designed to protect consumers’ private data;
  • a written policy or policies that are approved by the Board of Directors or a senior officer;
  • a Chief Information Security Officer to help protect data and systems; and
  • in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.[2]

In addition, pursuant to the regulation, Covered Entities must report a cybersecurity event if (a) the event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.  Details regarding what makes up such an event are detailed on the New York Department of Financial Services website.[3]  Continue Reading Compliance With New York’s Cybersecurity Regulation 23 NYCRR Part 500

We have previously reported about the upcoming New York Financial Services Cybersecurity Regulations [view related posts here and here]. On February 16, 2017, Governor Andrew M. Cuomo announced that “the first-in the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017.”

The regulation is being touted by New York officials as being a “risk based” regulation, which requires financial services companies regulated by the New York State Department of Financial Services (DFS) to comply by implementing a cybersecurity program that will prevent and avoid cyber breaches.

In addition, the regulation requires that the top levels of the company instill a culture of compliance into the organization and be responsible for the cybersecurity program, including certifying compliance to the Superintendent on an annual basis.

The regulation has specific requirements that must be included in the cybersecurity program, including designating a Chief Information Security Officer and appropriate oversight of the program.

The Superintendent of DFS will enforce the regulations. The regulations go into effect on March 1, 2017, and covered entities will be required to annually prepare and submit a Certification of Compliance with the Superintendent starting February 15, 2018.

The New York Department of Financial Services announced last week that it will revise and delay the effective date of its proposed cybersecurity regulation. The announcement came two days after New York bankers brought up a number of criticisms of the proposed rules at a hearing before the state’s Standing Committee on Banks.

At the hearing, bankers lamented that the proposed regulation will prove too burdensome to implement, particularly for small community banks. Continue Reading Bank Objections Play Key Role in Delay of New York Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) will delay the effective date of their proposed cybersecurity regulation until March 1, 2017. A new draft of the proposed regulation will be published on December 28, 2016, with an anticipated 30 day comment period. The original proposed regulation met with significant resistance, including reportedly more than 150 comment letters. Many of the comments identified the proposed regulation as highly prescriptive and lacking of allowance for Covered Entities to make risk-based decisions on certain important technology matters. Additionally, a number of comments requested the ability to distinguish between small and large Covered Entities in structuring cybersecurity programs based on size and risk. A number of the comments also expressed concern that inconsistencies with federal and other state regulations, which are anticipated in the future, would make compliance highly complicated. Nevertheless, a number of comments expressed agreement with the Department’s goal of improving cybersecurity programs overall. If the original 180 days for Covered Entities to come into compliance with the regulation is maintained, August 28, 2017, will be a crucial date. It is not known whether the Department will extend the January 15, 2018, date for Certification of compliance with the regulation.

The New York State Department of Financial Services (NYDFS) recently published the results of its cybersecurity survey of more than 150 regulated small, medium, and large banking organizations. The survey asked for information the bank’s use and management of third-party service vendors with access to sensitive information. In particular, the survey asked banks whether they conducted initial or periodic due diligence assessments of third-party vendors, and what measures vendors took to safeguard sensitive information and/or to protect against loss due to security incidents. Less than half of the banks surveyed required due diligence assessments of potential third-party vendors prior to a contract. About one-third conducted periodic assessments during the term of the vendor’s contract. A third of the respondents did not require the vendor to notify them in the event of a security incident or breach.

NYDFS announced it will use the results to help it develop and adopt threshold cybersecurity standards for regulated banking organizations and their vendors. The anticipated standards will likely include due diligence, suggested or mandated vendor cybersecurity representations and warranties as well as a reporting mandate on security incidents.

Regulators, including NYDFS, continue to focus on requiring minimum cybersecurity standards to be in place when companies provide third-party vendors access to their IT systems and sensitive data. These minimum standards target identified areas of risk and are intended to reduce the number and severity of a cybersecurity incident. The particular focus on third party vendors reflects the recognition that a number of recent large scale breaches, such as those  suffered Target and Home Depot,  occurred in whole or part because credentials of a third-party vendor were apparently stolen.

NYDFS’ survey results are available in the report “Update on Cyber Security in the Banking Sector: Third Party Service Providers,” which updates its 2014 “Report on Cybersecurity in the Banking Sector” that emphasized bank’s widespread reliance on third party vendors for important banking functions, such as trading and settlement operations, check and payment processing.

NYDFS is the principal regulator for state-licensed and state-chartered financial entities and other financial institutions operating in the State of New York, as well as insurance companies.

Pretty much the only time I don’t feel like I am Chicken Little predicting a massive cyber-attack is when I am with my colleagues at the FBI, Secret Service, NSA and my students in the Brown Executive Masters of Cybersecurity who are members of the military. They don’t respond to my thoughts and fears of cyber-attacks with a cocked head or raised eyebrow like everyone else in my life.

I am concerned that at some point in the future, we will experience a massive cyber-attack that may affect critical infrastructure that we depend on every day. It will not be total and complete. There won’t be a large loss of lives. It will not affect us for a long period of time. But when it happens, it will be effective in disrupting our lives and causing chaos like we have never before experienced. It will be chaotic because we are completely dependent on technology. If our technology is disrupted, our lives will be in massive disorder.

This scenario became more real this week with the increased tensions between the United States and Iran. Iran has had sophisticated cyber capabilities for years and has been behind many cyber-attacks around the world. Sanctions have not had an impact on the effectiveness of Iranian-backed hackers, much the same as those imposed on North Korea.

I am not Chicken Little. The Department of Homeland Security warned this week of the heightened risk of Iranian-backed cyber-attacks on critical infrastructure in the United States. The New York Department of Financial Services (DFS) warned banks of the increased risk of an Iranian backed cyber-attack on the financial services industry. Other such attacks also could affect power, electricity, water, financial services, hospitals, chemical plants, schools, manufacturing facilities—you name it. How do we personally prepare for an attack that may affect those systems and services?

Preparing for a cyber-attack on critical infrastructure is much the same as preparing for a natural disaster in the face of Mother Nature. Think about what you would need if you were not able to have access to electricity or water, or not able to pay for things through your credit card or debit card or even get access to your online bank account. What would you need if cell service were not available? I often think of what I would have needed following Hurricane Katrina. But in a cyber-attack, you can’t get in your car and drive to another city or state to avoid the disaster.

Some things to consider in this time of increased threat from Iran and the warning from DHS and DFS would be to have on hand extra water, cash, non-perishable food, candles, a generator, prescription medication, a flashlight and other basic daily necessities that will help get you through a week or two of disruption. Just picture not having access to your online bank account, or the ability to use your credit or debit card or your cell phone. What do you need if the electricity is out? How would you survive “Naked and Afraid?”

Heed the warnings from DHS and DFS – examine your daily routine to determine what you would need and prepare now. That way, whether it is a cyber-attack from Iran, or a threat from Mother Nature, you will be prepared.

Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

In its July 2018 report on “A Financial System that Creates Economic Opportunities,” the U.S. Treasury Department outlined its proposals to identify improvements to the regulatory landscape to “better support nonbank financial institutions, embrace financial technology, and foster innovation.”

The Treasury Report contains over 80 specific recommendations for “Embracing Digitization, Data and Technology,” “Aligning the Regulatory Framework to Promote Innovation,” “Updating Activity-Specific Regulations” and “Enabling the Policy Environment.”

Under the heading of “Enabling the Policy Environment,” Treasury’s first recommendation is to establish a “regulatory sandbox” to enhance and promote innovation free from undue regulatory and statutory impediments.

This recommendation echoes efforts to promote new financial technology products previously announced by the CFPB and the State of Arizona. In announcing its initiative, the CFPB stated that its newly created Office of Financial Innovation will focus on “creating policies to facilitate innovation, engage with entrepreneurs and regulators, and review outdated or unnecessary regulations”.

The fact that other Federal and state regulators have their own plans for “regulatory sandboxes” highlights one of the challenges facing Treasury’s proposal to create a “unified solution that coordinates and expedites regulatory relief . . . to permit meaningful experimentation for innovative products, services and processes.” The potential rub is that the Treasury’s proposal goes on to provide that if [other] financial regulators are unable to fulfill those objective, Congress should consider preemption of state laws.

One prominent state regulator’s reaction was unequivocal. Maria Vullo, New York’s DFS Superintendent, assailed the Treasury proposal. “Toddlers play in sandboxes. Adults play by the rules,” according to Superintendent Vullo, who went on to say: “ The idea that innovation will flourish only by allowing companies to evade laws that protect consumers . . . and safeguard markets. . . is preposterous.”

Clearly the U.S. must adapt its financial services regulatory framework to compete effectively in the rapidly evolving world of financial services. New financial services breakthroughs will almost certainly be accompanied by new risks. Blockchain technology and artificial intelligence will likely drive unprecedented innovation in the financial services industry—and pose unprecedented risks along the way. 21st Century regulations must be developed to cope with these risks, as well as the current regulatory concerns with safety and soundness, consumer protection and data security.

One can debate the merits of a “unified regulatory sandbox” —but one thing is certain—cooperation, collaboration and innovation on the part of U.S. financial service regulators is essential.