In a presidential election year, Americans are often reminded that “As Ohio goes, so goes the nation.” When it comes to banks, insurers and financial institutions, it may be equally true to say “As goes New York, so goes the nation.” So when the New York State Department of Financial Services proposes sweeping cybersecurity regulations for the financial sector, the ripples will be felt far beyond New York borders.
The proposed regulations are more stringent than analogous recommendations from the Federal Financial Institutions Examinations Council (FFIEC). For instance, the breach notification deadline is 72 hours – a standard that will inevitably result in frenzied fire drill investigations in the years to come. They apply to “Covered Entities.” Covered Entities are any person operating under a Department of Financial Services license. For readability, this note refers to affected “banks”. However, that term should be understood to apply to all covered entities.
Some of the most noteworthy proposals are:
- The Appointment of a Chief Information Security Officer: Banksmust designate a Chief Information Security Officer (CISO). The CISO is responsible for the institution’s cybersecurity program – even if cyber defenses are outsourced to a third party.
- The Establishment of a Cybersecurity Program. The Program must safeguard the integrity of the bank’s computer systems. It would identify sensitive data, determine appropriate levels of access, and enforce internal controls. The Program must including procedures for detecting and responding to attempted intrusions.
- The Establishment of a Cybersecurity Policy. The Policy must document the bank’s approach to cyber concerns including privacy, incident response, vendor management, and risk assessments. It must be reviewed by the Board of Directors, and approved by a senior official.
- Periodic Stress Testing. Banks are required to regularly assess the robustness of their cyberdefenses via vulnerability and penetration testing.
- Application Evaluation. The bank must periodically evaluate all applications processing sensitive data for security. This requirement applies whether the applications are developed in-house or purchased off-the-shelf.
- Multifactor Authentication. The proposal envisions escalating levels of verification for increasingly sensitive data access. External access to databases with nonpublic information will require multifactor authentication.
- Encryption. Data in transit must be encrypted. If current technology precludes encryption, this must be offset by more stringent controls.
- Employee Controls. Access to nonpublic information should be limited to the extent necessary for employees to do their jobs. The need for such access must be periodically reevaluated.
- Data Retention. Banks must retain sensitive data no longer than necessary for business.
- Monitoring. The bank must monitor systems activity to detect impermissible or potentially problematic access or exfiltration of sensitive information. This must be coupled with mandatory cybersecurity training to reduce the risk of breach via human error.
These proposals are preliminary. The notice and comment process may result in some tweaks.
Nevertheless, they are noteworthy for three reasons. First, they reflect a determination that certain cybersecurity practices must be mandated rather than left to the institutions’ discretion. Second, they are likely to establish benchmarks that will set the standard of care going forward. Third, these standards will likely be applied—whether by law or industry “best practices”—to banks throughout the nation and abroad. Lord Ellenborough wrote “Can the Island of Tobago pass a law to bind the rights of the whole world?” Perhaps Tobago could not, but as the center of the global financial system, it would appear the Empire State may.