NY State Cyber Regulation for Banks: A Model?

On September 13, 2016, New York Governor Andrew Cuomo announced a set of proposed cybersecurity regulations for financial services companies that fall under the jurisdiction of the New York State Department of Financial Services (NYSDFS): Cybersecurity Requirements for Financial Services Companies. This proposed regulation, Cuomo noted, is the first of its kind in the nation and reflects the severe threat of cyber-crime and disruptions to the global financial sector centered in New York.

This sector-specific regulation (which will now go through a 45-day public comment and review process) is the latest move in a proliferation of cybersecurity standards that private firms must navigate. Companies are already challenged to draw on appropriate required or voluntary frameworks, from government standards like the National Institute of Standards and Technology (NIST) Cyber Security Framework to industry standards and other private sector initiatives such as the International Standards Organization 27000 (ISO) or the Payment Card Industry (PCI) Security Standards and private/public partnerships like North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards. The financial services industry, in particular, has seen a proliferation of rules and guidance from regulators like the Security and Exchange Commission (SEC), the Federal Financial Institutions Examination Council (FFIEC) (which informs both the Office of the Comptroller Currency (OCC) and the Federal Reserve Bank’s oversight), and the Commodity Futures Trading Commission (CFTC).

In this context, the proposed regulations in NY State can be viewed both as a blessing and a curse. For those companies that fall under the jurisdiction of the NYSDFS, the proposed rules lay out a clear governance framework for cybersecurity. But these rules also add another set of standards for consideration by financial industry organizations that often have multiple regulators in varying jurisdictions here in the United States and around the world.

To the credit of the NYSDFS, prior to publishing the proposed rules, they surveyed nearly 200 companies on leading and emerging practices in cybersecurity. Foregoing the technical minutia of a corporate cybersecurity effort, the proposed rules address five key areas:

• The establishment of a cybersecurity program
• The adoption of a cybersecurity policy
• The role of the chief information security officer
• Oversight of third-party service providers
• Additional items that relate to security practices and other matters

The announcement emphasized that the proposed regulations are designed to provide “certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.”

The first area of the proposed rule relates to the formation of a cybersecurity program. Each company, the rule reads, “shall establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The outlines of the NYSDFS program aligns pretty closely with the U.S. Government’s NIST program: identify, protect, detect, respond, and recover.

The written cybersecurity policy mandated by the proposed rule is more detailed, calling out about a dozen areas—such as customer data privacy, vendor and third-party service provider management, and incident response—that, at a minimum, need to be addressed. Most importantly, the policy is mandated to be reviewed by the board of directors and approved by a “Senior Officer” “as frequently as necessary,” but at least once a year. The proposed rule even provides a template certification that the board should sign and submit to NYSDFS annually beginning January 15, 2018.

Under the rule, each entity will have to designate a “qualified individual” “responsible for overseeing and implementing the [company’s] cybersecurity program and enforcing its cybersecurity policy.” The Chief Information Security Officer (CISO), will have principle reporting and oversight responsibilities for the cybersecurity program at the company.

A critical risk in any corporate operation comes from third-party service provider relationships. This rule seeks to manage that by setting out policies and practices that, at a minimum, address:

• A risk identification and assessment of the third-party
• A set of minimum cybersecurity practices required to be met by the third party
• A due diligence process to evaluate the third-party’s cybersecurity programs
• At least an annual assessment of the adequacy of the third-party’s cybersecurity program

In some regards, this focus on third-party risks may be the most significant feature of the proposed regulation. This will help focus the subject companies on a critical source of cyber risk. But it should be noted that proper oversight and engagement with third-party vendors, particularly for the largest institutions, is costly and time-consuming.

The proposed rule goes on to identify other practices that the NYSDFS deemed important, from encryption and multi-factor authentication techniques to data retention practices and training and employee monitoring.

Taken as a whole, the proposed regulation should help advance the cause of cybersecurity, though these are still draft proposals and it remains to be seen how they will play out in practice. If one thinks about this state-level, sector-specific approach as a possible model, it’s important to keep in mind that financial institutions generally have greater resources available to dedicate to cybersecurity, and they are already subject to more intrusive regulation of internal governance than most other industries.

One challenge that financial companies might face in the implementation of the proposed regulation as currently framed is that it is structured both as a protective measure, for the companies to which it applies, and also a punitive set of regulations, enforcing the protection of customer data. There is an inherent tension in that framing, where the victim (the hacked company) also is treated as the culprit (for failing to protect customer private information). Ultimately, this framing may hinder collaboration as companies balance engaging with regulators to address cyber-threats against them with the regulatory action that comes from the disclosure. This, in turn, may slow progress on the common goal of improved cybersecurity and response.

Perhaps most surprising is the inclusion of a certification by the chair of the board (or designated member(s) of senior management) of compliance with the rule. Certifications of this nature are rare, though NYSDFS appears to find this a useful mechanism to ensure focus on process, having included it in other recent regulation as well. Certifications like this help boost attention to the issue internally and promote accountability, but they are expensive, as regulated entities build systems to protect the board and senior leaders and vet the certifications.

In his remarks, Governor Cuomo said, “this regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible." That’s a vast and misleading overstatement; any guarantee against cyber-attacks is an empty one. But the proposed regulations are generally a welcome effort to raise the standard of cybersecurity governance.