September 22, 2016Client Alert

Cyber Security Regulation

The New York State Department of Financial Services (NYDFS) recently announced new regulatory standards that many in the financial services industry believe will become the new model for states considering similar regulation of companies’ approaches to cyber security. The NYDFS’s rules for cyber security protection require a wide array of financial services companies to implement specific and potentially far-reaching policies and procedures directed at protecting nonpublic information from cyber threats. Interested companies or individuals can comment on the proposed regulations until November 11, 2016.

The regulations apply to companies and individuals licensed by the NYDFS in the banking, financial services, and insurance industries (Covered Entity). Smaller Covered Entities must:

  • Institute a cybersecurity program to, among other things, (1) identify internal and external cyber risks; (2) use defensive infrastructure and implement policies and procedures to protect the Covered Entity’s information systems; and (3) detect any attempt, successful or unsuccessful, to gain access to the Covered Entity’s information systems (Cybersecurity Event)
  • Implement and maintain a cybersecurity policy covering 14 different areas
  • Limit access to nonpublic information to only those individuals who require such access
  • Conduct an annual assessment of the Covered Entity’s information systems that complies with written policies and procedures
  • Implement written policies and procedures that ensure the security of information systems and nonpublic information that are accessible to third parties, which must also meet minimum requirements
  • Limit data retention to ensure that nonpublic information is not retained longer than necessary
  • Notify the NYDFS of any Cybersecurity Event

In addition to the above, larger Covered Entities with more than 1,000 customers in each of the last three years, more than $5 million in gross annual revenue for the past three years, and more than $10 million in year-end total assets must also:

  • Designate a Chief Information Security Officer that will give biannual board presentations which will be made available to the NYDFS
  • Conduct annual testing and risk assessment of information systems
  • Conduct a quarterly assessment of the information systems’ vulnerabilities
  • Implement audit trail systems that allow the reconstruction of financial transactions and accounting to detect and respond to a Cybersecurity Event, track access to critical systems, protect stored data, and protect hardware
  • Employ sufficient cybersecurity personnel to manage cybersecurity risks and perform core cybersecurity functions
  • Require multi-factor authentication
  • Provide regular training regarding cybersecurity awareness
  • Encrypt nonpublic information
  • Develop an incident response plan

While many companies already comply with the proposed requirements, some are unique, and the overall scope of these requirements is potentially even broader than it appears given NYDFS’s definition of terms like “Information Systems,” which may include telephone or even HVAC systems. The regulation will likely become effective on January 1, 2017, and companies will have 180 days to come into compliance with the regulation.

back to top