Ballard Spahr to Host Webinar on October 6, 2016.

The New York Department of Financial Services (NYDFS) will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards." All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed regulations.

Financial institutions should be aware of the realistic possibility that any final regulations promulgated by the NYDFS could become the de facto national standard. Financial institutions should carefully consider whether to engage the NYDFS as it moves forward in finalizing the regulations.

Under the proposed regulations, financial institutions will be required to:

  • Establish a cybersecurity program designed to ensure the confidentiality, integrity, and availability of information systems;

  • Adopt a written cybersecurity policy, setting forth policies and procedures for the protection of: information systems and nonpublic information, including data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; monitoring; application development and quality assurance; physical security and environmental controls; customer data privacy; and incident response. The cybersecurity policy must be reviewed by the board and approved by a senior management officer;

  • Designate a qualified individual to serve as the company's Chief Information Security Officer (CISO), who will be responsible for overseeing and implementing the company's cybersecurity program and enforcing its cybersecurity policy. Importantly, the CISO must provide at least biannual reports to the company’s board about the cybersecurity program, including the effectiveness of the program, risks, security incidents, and recommendations on remediation as appropriate;

  • Have policies and procedures relating to managing third-party relationships, including conducting appropriate due diligence prior to entering into any such relationship and appropriately monitoring for and assessing the adequacy of cybersecurity measures by those third parties;

  • Establish a written incident response plan designed to promptly respond to, and recover from, any broadly defined "Cybersecurity Event." The regulation sets forth seven areas that the incident response plan must address "at a minimum;"

  • Notify the DFS Superintendent within 72 hours of any "Cybersecurity Event that has a reasonable likelihood of affecting the normal operation" of the company, affects nonpublic information, or involves the "actual or potential unauthorized tampering with, or access to or use of, Nonpublic Information."

The proposed regulations also set forth additional elements required for financial institutions' cybersecurity programs. Unlike more generalized guidance that has been issued by other regulators, these detailed regulations describe on a more granular level various security measures that constitute "minimum standards," such as annual penetration testing and risk assessments; logging and audit trail systems capable of "complete and accurate reconstruction" of transactions and accounting relating to cybersecurity events; multi-factor authentication for remote or privileged access to internal systems or database servers; data destruction standards; encryption of all nonpublic information at rest and in transit; and a variety of others.

As previously reported, NYDFS has been working with federal and state regulatory agencies and financial institution associations in developing the new cybersecurity regulations. However, financial institutions seeking to provide input on the final regulations may submit comments during a 45-day notice and public comment period before the regulations are finalized. The comment period begins following the September 28, 2016, publication in the New York State Register before its final issuance.

Ballard Spahr will host a webinar on the proposed regulations and other regulatory developments relating to cybersecurity on October 6, 2016. Click here to register.

Attorneys in Ballard Spahr's Consumer Financial Services and Privacy and Data Security Groups regularly assist companies in preparing public comments and participate in state and federal rulemaking. Our experienced team can also provide guidance on how to ensure compliance with the full range of state and federal privacy and data security laws and regulations impacting the consumer financial services industry. We regularly advise clients on the development and review of risk-based information security programs, including risk assessments and incident response plans.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.