Why every company should understand the New York cyber security requirements for financial services companies
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
Every chief information security officer (CISO) and in-house lawyer responsible for data security legal issues should take an hour and read the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), which came into effect on 1 March. These new regulations, enforced by the Superintendent of the Department, require regulated financial services companies (defined very broadly under the law) to establish and maintain a fulsome cyber security programme. The requirements provide a terrific overview of what a strong cyber security programme for any company, regardless of industry, should look like. The requirements, however, also leave some questions open-ended.
To whom do the regulations apply?
The regulations apply to covered entities, defined as any individual or non-governmental entity operating under a licence, registration, charter or similar authorisation pursuant to New York’s Banking Law, Insurance Law or Financial Services Law. Small financial services companies (those with fewer than 10 employees, less than $5m in gross annual revenue and less than $10m in year-end total assets) are exempted, as are financial services companies that do not operate or maintain any information systems or non-public information.
What needs to be achieved by 28 August 2017?
Covered entities must develop and maintain a cyber security programme. The cyber security programme must include core cyber security functions like identifying and assessing internal and external cyber security risks, using defensive infrastructure and implementing policies and procedures to protect the covered entity’s information systems and non-public information, detecting cyber security events, detecting and responding to identified cyber security events and fulfilling applicable regulatory reporting obligations.
The term “cyber security event” is defined broadly to include any attempt, including unsuccessful ones, to gain unauthorised access to an information system or information stored on such a system. The inclusion of unsuccessful attempts as a data security event is highly unusual as data security laws go, as it potentially opens the door to include the hundreds or thousands of phishing and other ordinary attempts that information security departments identify and filter out on a daily basis.
Of significant concern, all documentation and information relevant to the covered entity’s cyber security programme must be made available to the Superintendent of the Department of Financial Services. While the regulations exempt these records from public disclosure, should the Department itself ever suffer a cyber attack, as we know sometimes happens with government agencies, all of this sensitive information could be compromised. Imagine the damage attackers could do if they were able to learn the techniques and safeguards financial services companies use to protect sensitive information. Hopefully the Department of Financial Services will explain how it intends to safeguard this sensitive information shared by financial services companies.
Covered entities must maintain a cyber security policy. Covered entities must implement and maintain a written cyber security policy setting forth the policies and procedures for protecting its nonpublic information and information systems.
Covered entities must designate security personnel. This includes a CISO to oversee and implement the cyber security programme and enforce the cyber security policy. The CISO may be employed by the covered entity or a third-party service provider. The CISO must report, in writing, annually to the covered entity’s board of directors beginning 1 March 2018. The regulations describe, with specificity, what areas the report must address.
Also, by 28 August 2017, every covered entity must employ qualified cyber security personnel. The personnel must manage cyber security risks and perform or oversee the performance of the core cyber security functions. The covered entity must train its personnel to ensure they are apprised of the relevant and latest cyber security risks. The covered entity must also verify that their personnel take steps to maintain current knowledge of changing cyber security threats.
Covered entities must implement access privileges. Each covered entity must limit user access privileges to information systems that provide access to non-public information. The covered entity must also periodically review such access privileges.
Incident response plan. Every covered entity must develop a written incident response plan. The plan should address: the internal processes for responding to a cyber security event; the goals of the incident response plan; the definition of clear roles, responsibilities and levels of decision-making authority; external and internal communications and information sharing; identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; documentation and reporting regarding cyber security events and related incident response activities; and the evaluation and revision as necessary of the incident response plan following a cyber security event.
Notices to Superintendent. Covered entities must notify a cyber security event to the Superintendent of the Department of Financial Services within 72 hours from a determination that the event has occurred. The notification requirement, however, applies only to cyber security where either: (i) notice to any government body, self-regulatory agency or any other supervisory body is required; or (ii) there is a reasonable likelihood of materially harming any material part of the covered entity’s normal operations.
Every year, by 15 February, the covered entity must submit to the Superintendent a written statement certifying the covered entity was in compliance with the regulations during the prior calendar year. The statement must be signed by the chair of the board of directors or a similarly senior officer. The covered entity must keep supporting material for this statement for five years. If remediation, improvement, updating or redesign is necessary, the covered entity shall document the identification and the remedial efforts planned or underway.
What needs to be achieved by 1 March 2018?
Conduct risk assessment. Each covered entity must conduct a periodic risk assessment of its information system. The risk assessment must be carried out in accordance with written policies and procedures, and must be documented. The policies and procedures must establish criteria for the evaluation and categorisation of identified cyber security risks or threats facing the covered entity; the criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information system and non-public information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted and how the cyber security programme will address the risks. It must be updated as necessary to address changes to the covered entity’s information systems.
Use of multi-factor authentication. Each covered entity must use effective controls to protect against unauthorised access to non-public information or information systems. Those controls may include multi-factor authentication and risk-based authentication. Multi-factor authentication means authentication through at least two of the following: (i) knowledge factors, such as passwords; (ii) possession factors, for example, a text message on a mobile phone; or (iii) inherence factors, such as biometric characteristics. Multi-factor authentication must be used by any individual accessing the covered entity’s internal networks from an external network. Risk-based authentication means a system of authentication that detects anomalies or changes in the normal use patterns of a person that requires additional verification of the person’s identity when such deviations or changes are detected, such as use of challenge questions.
CISO report. The covered entity’s CISO must report on the cyber security programme and material cyber security risks at least annually to the covered entity’s board of directors or equivalent governing body or senior officer. The report may also address the confidentiality of non-public information, the covered entity’s policies and procedures, the overall effectiveness of the cyber security programme, and material cyber security events.
Penetration testing and vulnerability assessments. The covered entity must perform penetration testing of its information systems annually. Twice a year it must also perform vulnerability assessments to identify publicly known cyber security vulnerabilities in the covered entity’s information systems.
Training. The covered entity must provide regular cyber security awareness training for all personnel, which is updated to reflect the risks identified by the covered entity in its risk assessment.
What needs to be achieved by 1 September 2018?
Maintain an audit trail. Each covered entity must securely maintain systems that are designed to reconstruct material financial transactions to support normal operations and obligations (records must be kept for at least five years); and must include audit trails designed to detect and respond to cyber security events (records must be kept for at least three years).
Application security. Covered entities must prepare written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications used by the company. Additionally, the company must develop procedures for evaluating, assessing or testing the security of externally developed applications used by the entity. These procedures, guidelines and standards must be periodically reviewed.
Limitations on data retention. Every covered entity must have policies and procedures for the secure disposal on a periodic basis of any non-public information that is no longer necessary for business operations or for other legitimate business purposes.
Monitoring. The covered entity must implement risk-based policies, procedures and controls designed to monitor the activity of authorised users and detect unauthorised access or use of, or tampering with, non-public information by such authorised users.
Encryption. Every covered entity should implement encryption of non-public information held or transmitted by the covered entity, both in transit over external networks and at rest. If encryption is unfeasible, the regulations allow for alternative compensating controls under certain circumstances.
What needs to be achieved by 1 March 2019?
Third-party service provider security policy. Every covered entity must implement written policies and procedures to ensure the security of non-public information and security systems that are accessible to, or held by, third-party service providers. These policies and procedures must address the identification and risk assessment of the service providers; minimum cyber security practices that are required to be met by such providers; due diligence processes used to evaluate the adequacy of cyber security practices of such service providers; and periodic assessment of such service providers based on the risk they present and the continued adequacy of their cyber security practices. The policies must include guidelines for due diligence and contractual protections relating to service providers, including the provider’s use of access controls, multi-factor authentication, encryption, notice of a cyber security event, and representations and warranties addressing the provider’s policies and procedures relating to security.
The regulations are useful for any company looking to measure and improve its cyber security programme. We would contend that they will become the new standard for ‘reasonableness’ by which the information security programmes of companies will be judged in the future. They incorporate a strong mix of administrative, technical and physical safeguards that require periodic evaluation. Nevertheless, there are still open questions, and hopefully the Department will issue more guidance over time to provide answers. In the meantime, CISOs and in house counsel looking for support from their respective organisations should consider using these regulations as a tool for that support.
Alfred J. Saikali is a partner and Mayela Montenegro is an associate at Shook, Hardy & Bacon L.L.P. Mr Saikali can be contacted on +1 (305) 358 5171 or by email: firstname.lastname@example.org. Ms Montenegro can be contacted on +1 (949) 975 1741 or by email: email@example.com.
© Financier Worldwide
Alfred J. Saikali and Mayela Montenegro
Shook, Hardy & Bacon L.L.P.