On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.
At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.
However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.