9/20/16 - New York Proposal Builds on Existing Cybersecurity Regulations
Home > News & Insights > Insights & Publications

9/20/16 - New York Proposal Builds on Existing Cybersecurity Regulations

The New York Department of Financial Services recently proposed new cybersecurity regulation for financial companies that represents the most significant enforceable cybersecurity rulemaking by a state regulator to date. A 45-day comment period will commence on Sept. 28, when the proposal is published in the New York State Register.

What Firms Would Be Covered

The proposal sets forth new requirements that, if finalized, would take effect in January 2017 for all but the smallest state banks, insurance companies, licensed lenders, and money transmitters.

What’s New and Different

Although some provisions are similar to those found in guidance and frameworks published by other regulators, the NYDFS’s proposal would require firms to comply with more specific, enforceable rules than they currently face. The proposal also differs from existing guidance, frameworks, and regulations in several important ways.

  1. Broad definition of protected information: The NYDFS’s proposed regulation focuses many of its provisions on nonpublic information (NPI). The definition encompasses a wider scope of protected information than what is covered in current guidance or regulation, which typically centers on personally identifiable information (PII) or nonpublic personal information (NPPI). The proposal defines NPI as “all electronic information that is not Publicly Available Information,” including any business-related information that would cause material adverse impact through its unauthorized disclosure, access, or use; along with any information that individuals provide to firms when seeking a financial product or service, or that firms obtain from individuals through a transaction involving a financial product or service. The definition goes beyond an individual’s Social Security number, date of birth, and mother’s maiden name to include items often found through social-media accounts, such as education and employment information and “any information that can be used to distinguish or trace an individual’s identity.” The definition also specifically mentions passwords and other authentication factors — which for some firms may include customers’ email addresses if they are used to authenticate them for online applications.
  2. Increased oversight of third parties: The proposal includes new provisions that raise expectations for third-party oversight, including firms’ policies and procedures for assessing vendors’ and partners’ senior management, contracts, and additional technical controls, particularly where the third parties have access to a firm’s information systems or NPI. The proposal would require policies and procedures to ensure that contracts with third parties include provisions covering the use of multifactor authentication (MFA); encryption of NPI in transit and at rest; prompt notification to the firm if there is a cybersecurity event; and the potential provision of identity-protection services to the firms’ customers. Perhaps most noteworthy, firms would be required to have policies and procedures to ensure contracts would specify that third parties will provide representations and warranties that their products and systems are free of “viruses, trap doors, time bombs and other mechanisms” commonly used by hackers. If firms outsource their cybersecurity — as many smaller organizations often do — they must appoint a “senior official” to oversee the cybersecurity provider to make sure it complies with all other aspects of the rule.
  3. Push to MFA: While existing guidance calls for a risk-based approach to deploying MFA, the proposed rule would require the use of MFA for all remote access to a firm’s networks and to data from outside systems (even if at a third party), as well as for any type of privileged access to systems — including within a network — that store NPI.
  4. Encrypting NPI in transit and at rest: All firms would have to encrypt their NPI in transit within one year of the rule’s enactment and encrypt NPI at rest within five years. Prior to the compliance dates, the chief information security officer would have to approve the compensating controls.
  5. Timely destruction of NPI: The proposal sets forth a requirement for firms to have policies and procedures ensuring the timely destruction of NPI that is no longer necessary — a sometimes overlooked but important aspect of a holistic program for information risk management.
  6. Prompt notification of more events: The NYDFS proposes that firms must provide notification of adverse events to the superintendent within 72 hours of becoming aware of the event. This requirement would go beyond Gramm-Leach-Bliley Act requirements in two critical ways: It would require notification of any impact on NPI, rather than on the more narrowly defined sensitive customer information; and it would require notification of any event causing material impact to normal operations.
  7. Maintaining unaltered audit trails and transaction records: The proposal requires firms to maintain audit-trail records for six years in a manner that prevents their alteration and “allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.”
  8. Annual certification: Under the proposal, firms would have to certify their compliance annually.

The proposed rule’s effective date is Jan. 1, 2017, and firms would be required to prepare and submit a certification of compliance by Jan. 15, 2018. The broad array of firms under NYDFS oversight can use the comment period to review the proposed regulation, consider its applicability, and ensure they comply in advance with its requirements.

How Promontory Can Help

Promontory’s cybersecurity professionals have experience and knowledge of changing cybersecurity risks and regulations. We help align risk management approaches with regulatory expectations to make our clients and their customers stronger and safer.

Simon McDougall
Managing Director
smcdougall@promontory.com
+44 207 997 3456

Judith Pinto
Senior Principal
jpinto@promontory.com
+1 212 542 6798