New York revises stringent cybersecurity regulations

This blog has previously covered comprehensive cybersecurity regulations for financial institutions published by the New York Department of Financial Services. On December 28, 2016, the department issued revised rules that address a number of comments the department received after publishing the rules initially on September 16, 2016. The department will receive comments on the revised rules until January 27, 2017, and the revised rules are scheduled to take effect on March 1, 2017.

The new rules include substantial changes to the original draft. Several of the changes appear to be designed to add flexibility to the rules to accommodate institutions of various sizes. For example, the rules previously required institutions to employ qualified cybersecurity personnel. The revised rules simply require institutions to utilize qualified cybersecurity personnel. This change reflects the fact that many institutions rely heavily on third parties to operate core parts of their operations, and the employment requirement may have been onerous and impractical depending on the nature and size of an institution’s operations.

There were also several substantial changes to the substance of the rules. Some of the more significant changes are explained below.

First, the new rules narrow the definition of “nonpublic information” to cover an individual’s name, personal mark, identification number or other identifier and a driver’s license, social security, or security number or biometric data. Previously, the rules defined nonpublic information as any information that customers provided as part of seeking financial services. The narrower definition reduces the burden on institutions to secure certain systems because only a combination of certain information will be subjected to the rules’ heightened security standards.

Second, the revisions remove the requirement that the institution’s board of directors approve the institution’s cybersecurity policy. Now, a “senior officer” or appropriate board committee can approve the policy.

Third, the regulations reduce the reporting requirement for the Chief Information Security Officer (“CISO”) from bi-annually to annually. In addition, the CISO’s annual report no longer has to address an extensive list of topics. Instead, the CISO’s report must report on the institution’s cybersecurity program and material cybersecurity risks. While preparing the report, the CISO is required to consider the integrity and security of systems storing nonpublic information, material cybersecurity risks, and the overall effectiveness of the cybersecurity program.

Fourth, the rules no longer mandate a schedule of penetration and vulnerability testing. Rather, the rules now require monitoring and penetration testing on a schedule that is consistent with the organization’s assessment of its risks.

Fifth, the revised rules require institutions to perform a risk assessment as often as reasonably necessary to address changes in the institution’s information technology systems. Previously, the rules required the risk assessment to be performed annually.  

Sixth, the revised rules remove the requirement for multi-factor authentication every time an individual accesses nonpublic information. Instead, the multi-factor authentication is only required when individuals are accessing the institution’s internal network from an external location. The CISO however, has the authority to waive the multi-factor authentication requirement so long as doing so is consistent with the institution’s risk assessment.

In general, the revisions make the rules less prescriptive. Rather than setting forth a list of mandatory steps, the rules now nudge institutions toward incorporating cyber-risk assessments into their institutional planning process. Some of the mandatory requirements, like providing routine cybersecurity training, are good ideas that institutions should consider incorporating into their cybersecurity plan. However, the revised rules appear to acknowledge that cybersecurity programs will depend on the specific risks that each institution faces. These risks may vary by institution depending on the products and services the institution provides.

Even though they have been superseded by revisions, it is prudent to consider implementing some of the mandatory requirements in the original rules. A cybersecurity program that requires a CISO to assess and then report on cyber-risks is better than a policy that merely requires the CISO to consider cyber-risks.

While the New York cybersecurity regulations are not applicable to institutions in Iowa, they are an example of future regulation that may be coming at the state and federal level. Institutions should also recognize that New York’s first draft of the rules included a number of very specific obligations for institutions that were diluted only after comments from the industry. It is not difficult to deduce from that sequence of events that regulators are ready to push institutions to develop better cybersecurity programs. Money spent now on a robust cybersecurity program will help insure your institution is secure and ahead of the regulatory curve. 

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande