Understanding New York State’s Cybersecurity Compliance for Financial Institutions

The New York State Department of Financial Services (DFS) cybersecurity regulations go into effect today. In this blog post, I’ll share what these regulations mean and the biggest changes that financial services companies can expect over the next several months.

As a recap, in late December 2016, the DFS published its revised proposal for cybersecurity regulations. The proposal explicitly calls out the need for and the responsibilities of a Chief Information Security Officer (CISO) function. The occupant of this role must be a qualified individual responsible for overseeing and implementing the cybersecurity program. Similarly, the regulation calls for the use of qualified cybersecurity personnel with current knowledge and ongoing training in that discipline. Although the qualifications of these individuals are not explicitly defined, the implication is that they are and must remain well-versed in cybersecurity.

The DFS also puts explicit demands on the senior officers or board of directors to ensure their active participation in the cybersecurity program. This includes approval of the cybersecurity policy, review of an annual report by the CISO (effective February 15, 2018), and an annual certification of compliance – signed by an individual. This last piece is reminiscent of the Sarbanes-Oxley Act and opens the door for potential individual liability. Clearly, the intent is for that senior officer and the entire board to take their cybersecurity responsibility seriously.

Compliance dates for various portions of the proposed regulation are staggered over the next 24 months. This was a change from the original proposal and is an acknowledgement of the challenges that covered financial institutions will face in complying with specific provisions of the regulation. Here’s a look at a few of these just to provide a flavor for the difficulties to achieve compliance.

At the 12-month stage, covered entities will need to have multi-factor or risk-based authentication in place for access to nonpublic information – even internally. Many financial institutions use multi-factor authentication (MFA) for remote access to their corporate networks, but few have adopted it for access to internal resources as there are additional complexities and costs involved. Moreover, for legacy applications or systems that do not support MFA natively, a compensating control will be needed to protect the nonpublic information there.

At 18 months, encryption of nonpublic information both in transit and at rest will be required.  Where this is infeasible, CISO-approved compensating controls are acceptable, but they must be reviewed annually. Financial institutions typically encrypt the data on laptops as those are prone to loss or theft. However, encryption of data at rest on servers or in databases may not be common practice, except where payment cardholder information is involved. This will have to be expanded to include any nonpublic information. Data, in transit, should ideally be encrypted by the application. Consequently, this may require changes to a large number of commercial and internally developed applications. However, some older applications may be unable to encrypt natively. In such cases, encryption could be delegated to the network as an alternate control.

At the 24-month mark, financial institutions will need measures in place to ensure the security of nonpublic information that is accessible to or held by third-party service providers. The long lead time for this is necessary, given the quantity of suppliers or partners that may have access to or handle nonpublic information. The initial risk assessment, definition of minimum cybersecurity practices, subsequent contract revisions, etc. with third-party services providers will clearly be time-consuming. Some financial institutions already have enterprise risk management programs in place, which include some degree of vendor risk management.  However, even these will need to be broadened to monitor cybersecurity risks at providers that touch nonpublic information.

At the federal level, the themes of active board participation and concern over third-party cybersecurity risks have also been echoed. The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have issued an advance notice of proposed rulemaking (ANPR) for enhanced cyber risk management.   Public comments were due in late January 2017, but as written, the ANPR calls for more active board-level involvement in cybersecurity programs and the extension of enhanced standards to address cyber risk at third-party providers to the financial sector as well.

Financial institutions licensed by the state of New York should develop their plans to address the provisions of the newly effective cybersecurity regulation but keep an eye on the progress of the proposed federal regulations as well, if applicable. In the end, financial institutions may be better served by developing an overarching cybersecurity program that will encompass their risks and ultimately subsume regulatory requirements. Other states may follow New York’s lead and conceivably introduce their own cybersecurity regulations as well. As global financial institutions already know, variations in regulations across jurisdictions can be complex to manage in a piecemeal fashion.

Lawrence Chin

[Palo Alto Networks Research Center]