Last week, New York Governor Andrew Cuomo issued a proposed cybersecurity regulation for banks and insurers operating in New York. The proposed regulation appears to be the first of its kind in the U.S., but is not likely to be the last. It requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure safety within New York’s financial services industry.
The proposal is interesting in many aspects. It allows firms to create and enforce their own programs as long as they meet minimum certification standards. It stipulates several functional requirements, stating “The cybersecurity program shall be designed to perform the following core cybersecurity functions:
(1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the Covered Entity’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed;
(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those
Information Systems, from unauthorized access, use or other malicious acts;
(3) detect Cybersecurity Events;
(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;
(5) recover from Cybersecurity Events and restore normal operations and services; and
(6) fulfill all regulatory reporting obligations.”
The proposed regulations also require annual risk assessments and penetration testing, hiring a chief information security officer (CISO), encryption of all nonpublic information transmitted to a bank or stored by it, identifying and limiting third party risks, restricting access to information, and using multi-factor authentication. Significantly, they also require employee training in cybersecurity to prevent human errors, recognizing the enormous vulnerability associated with this issue.
There is one additional requirement that bears watching. The proposed cyber regulations contain a requirement that either the board of directors or a senior officer certify that the company is in compliance with the regulations. That requirement would appear to open these individuals up to liability charges if an incident occurs and the company is found to have failed to meet the regulatory standards. It will be most interesting to see who actually ends up signing the certifications, and just how rigorous compliance efforts become before submissions are due.
By Tom Davis, SDI Cyber Risk Practice
September 20, 2016