Sit up and pay attention: New York implements cybersecurity regulations for banks

On September 13, 2016, the New York Department of Financial Services issued proposed rules titled Cybersecurity Requirements for Financial Services Companies. The rules contain specific requirements for financial institutions that are designed to provide a structured framework for preventing cyberattacks.   

The regulations require financial institutions to have a cybersecurity program that must accomplish the following functions:

1.Identify internal and external cybersecurity threats;

2.Implement defensive infrastructure and procedures;

3.Detect cybersecurity events;

4.Respond to identified cybersecurity events and mitigate negative effects;

5.Recover from cybersecurity events and restore normal operations;

6.Fulfill all regulatory and reporting requirements.

The cybersecurity program must include a written cybersecurity policy. The policy must address 14 different topics including information security, system and network security, customer data privacy, and incident response, among others. The board of directors is obligated to annually review and approve the policy along with a senior officer in the institution.

Financial institutions must also designate a chief information security officer (“CISO”). The CISO will be responsible for implementing the cybersecurity policy and cybersecurity plan. One of the primary obligations of the CISO, in addition to ensuring compliance with the cybersecurity program, is to prepare a bi-annual report and present it to the board. The bi-annual report must:

1.Assess confidentiality of the information systems;

2.Identify exceptions to the cybersecurity policies and procedures;

3.Identify cyber risks;

4.Assess the effectiveness of the cybersecurity program;

5.Propose steps to solve any deficiencies;

6.Summarize all material cybersecurity events during the last report period.

To complement the CISO, financial institutions are also required to employ competent cybersecurity staff.

The regulations also require financial institutions to maintain records regarding their efforts to secure their systems. These records need to include an annual risk assessment. The financial institution must identify criteria for evaluating risks, criteria for assessing the integrity security systems, and document mitigation plans.

Financial institutions are also required to work with their vendors and any other third party that the institution provides information to prepare cybersecurity plans. This includes due diligence on the third party and periodic assessments, at least annually, of the cybersecurity of the third party.

The new rules also mandate the use of multi-factor authentication for anyone accessing the financial institution’s systems from an external system. This includes customers accessing deposit services.

This blog has previously covered why financial institutions should use complex security procedures—to protect from liability for unauthorized electronic funds transfers. The new regulations’ mandate for multifactor authentication will help financial institutions avoid liability from unauthorized transfers.

Finally, financial institutions must develop an incident response plan. These procedures must include internal processes for responding to a cybersecurity events. This should include an internal and external information sharing plan. While not explicitly mandated in the regulations, financial institutions should consider who their attorneys are and the role that they may play in protecting against potential litigation as a result of a cybersecurity event.

New York’s regulations represent the most comprehensive cybersecurity standards yet. Other states, such as California, are also adopting more stringent cybersecurity rules. Even though these regulations are not mandated federally or by Iowa, it is still a good idea to pay close attention to the practices New York mandates. The New York framework contains best practices that will help organize an institution’s approach to cybersecurity.

The framework also provides a good tool for non-financial organizations. The comprehensive framework will help organizations make sure they do not leave any gaping holes in their cybersecurity defenses. 

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.