The New York Department of Financial Services (NYDFS) has distributed a letter to various federal and state regulatory agencies and associations proposing the development of new cybersecurity regulations for financial institutions. The letter states that cybersecurity is “among the most critical issues facing the financial world today” and that there is “a demonstrated need for robust regulatory action in the cybersecurity space.” 

The NYDFS proposal arises in part from the cybersecurity survey that the NYDFS conducted of more than 150 regulated banks and the subsequent findings in the survey reports released earlier this year. The letter identified the following key regulatory proposals that are currently being considered and would require financial institutions to:

  • Implement and maintain written cybersecurity policies and procedures addressing a variety of cybersecurity topics, including data governance, application development, customer data privacy, and incident response.

  • Implement and maintain policies and procedures relating to third-party service providers with access to financial institutions’ sensitive data and systems.

  • Use multi-factor authentication for customer access to web applications that captures or displays confidential information, privileged access to database servers that allow access to confidential information, and any access to internal systems or data from an external network.

  • Designate a Chief Information Security Officer (CISO), who would be required to submit annual reports to the NYDFS.

  • Implement and maintain written procedures, guidelines, and standards relating to applications security, which the NYDFS believes should be reviewed on an annual basis by the CISO.

  • Employ adequate cybersecurity personnel, including mandatory cybersecurity training for such personnel.

  • Conduct annual penetration testing, conduct quarterly vulnerability assessments, and maintain audit trails and activity logs.

  • Notify the NYDFS “immediately” of any cybersecurity incidents that have a reasonable likelihood of materially affecting the normal operations.

Although the NYDFS did not provide a timeline for when it expects to release the proposed cybersecurity regulations, it expressed the hope that the letter would “help spark dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cybersecurity standards for financial institutions.” These efforts could also prompt these regulatory agencies and associations to accelerate their own cybersecurity initiatives, which might incorporate elements of any NYDFS regulations. Any cybersecurity regulations issued by NYDFS would need to be read in conjunction with federal requirements and guidance, such as the recently released FFIEC Cybersecurity Assessment Tool.

Financial institutions should be aware of the realistic possibility that any regulations imposed by the NYDFS could become the de facto national standard. Although the NYDFS is only seeking input on its cybersecurity proposals at this time from the regulatory agencies and associations to whom the letter was sent, financial institutions should look for opportunities to engage the NYDFS as it moves forward in developing regulations. 

Attorneys in Ballard Spahr’s Privacy and Data Security Group and Consumer Financial Services Group have experience in engaging regulatory agencies in the rulemaking process, conducting cybersecurity risk assessments, drafting information security plans and representing companies in responding to information breaches and related litigation.

For more information, contact the authors of this alert, Privacy and Data Security Group Practice Leader Philip N. Yannella, Consumer Financial Services Group Practice Leader Alan S. Kaplinsky, or the Ballard Spahr attorney with whom you work.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.