Plenty of Precedent

Given New York's prominence as a financial center and DFS precedent of applying many of its laws extraterritorially to financial institutions licensed in New York, rather than solely to those domiciled in the state, the forthcoming regulations are likely to affect a large number of financial institutions.

Further, history shows that DFS is comfortable in both being a precedent-setter in the regulatory community (for example, its adoption of reduced collateral requirements for reinsurers) and with taking positions contrary to other regulators (for example, its steadfast opposition to principle-based reserving for life insurers).

DFS's interest in this area is not new. Beginning in 2013, it surveyed banks and insurers about their cybersecurity programs, costs and plans, and published reports of its findings. DFS has also expanded its information technology examination procedures relating to cybersecurity and has conducted risk assessments of the financial institutions subject to its regulatory oversight. In its recent letter, DFS described cybersecurity to be “among the most critical issues facing the financial world today.”

Written Policies and Procedures Required

As outlined in the letter, the regulations would require financial institutions to adopt written cybersecurity policies and procedures addressing, among other areas, information security, access controls, business continuity, network security, application development, vendor and third-party management, and incident response protocols.

These policies and procedures would be overseen by a designated chief information security officer, who would also be responsible for submitting an annual report to DFS assessing the program and the institution's cybersecurity risks.

Prior to submission to DFS, the annual report would require review by the institution's board of directors. Cybersecurity personnel would be required to receive mandatory training and to stay abreast of changing cyber threats and countermeasures. As described, however, the regulations would not mandate participation in an information-sharing and analysis organization.

The regulations would also require multi-factor access authentication for all access to internal systems and data from external systems, including customer access to web applications that capture or display confidential information.

Additionally, the regulations will address vendors and third parties with access to an institution's sensitive data or systems by mandating minimum contractual terms, including multi-factor access authentication, encryption of data both in transit and at rest, indemnification of the financial institution for losses and audit rights. Further, the regulations would require annual penetration testing, quarterly vulnerability assessments, and maintenance of an audit trail system to track access and alterations.

Notice Required

Finally, in the event of a cybersecurity incident that has a “reasonable likelihood” of materially affecting the normal operation of the institution, notice would be required to be given to DFS. These incidents would include the compromise of personally identifiable information, including personal health information, payment card information and biometric data, incidents requiring notice under other New York laws, and incidents reported to the institution's board of directors.

Although the letter provides the most detailed look to date at the way DFS intends to address cyber risks, the market will need to await the formal proposed regulations to learn whether the standards proposed by DFS will represent a minimum set of standards or whether flexibility will be incorporated to take into account the size, resources, risks and mitigating controls of an institution.

It also remains to be seen how DFS will incorporate these new regulations into its existing enterprise risk management framework, and whether the regulations will extend to licensed insurance producers and claims adjusters.