November 07, 2016 Practice Points

New York State Department of Financial Services Proposes Cyber Security Regulations

By Leonard Wills

On November 13, 2016, the 45-day notice period will end on a set of regulations described as the “first in the nation.” The New York State Department of Financial Services (DFS) published draft regulations on cybersecurity for the financial sector on September 13, 2016. The draft regulations propose regulatory minimum standards to protect customer information and the covered entities’ information technology systems from a cybersecurity event (defined as “any act or attempt, successful or unsuccessful to gain unauthorized access to disrupt or misuse an Information System or information stored on such Information System”).

These draft regulations will affect “covered entities,” such as New York state chartered banks, New York licensed branches and agencies of foreign banks, insurance companies, money transmitters, licensed lenders, mortgage lenders, and servers. Certain small businesses, however are exempt from these draft regulations. Each covered entity must “establish and maintain” a cybersecurity program that ensures the confidentiality, integrity, and availability of the entity’s information systems. Under the new regulations, cybersecurity programs will have to perform the following functions:

(1) identify internal and external cyber risks;
(2) leverage defensive infrastructure, policies, and procedures to protect the entity’s information systems;
(3) detect cybersecurity events;
(4) respond to and mitigate any potential cybersecurity events;
(5) recover and restore normal operations after a cybersecurity event; and
(6) follow all regulatory reporting obligations.

Furthermore, the regulations require each covered entity to designate a Chief Information Security Officer (CISO) “responsible for overseeing and implementing a company’s cybersecurity program and enforcing its policies.” The CISO is further required to report bi-annually to the entity’s board, and the contents of each cybersecurity report must be available upon request to the superintendent of financial services.

Any written cybersecurity policies and procedures under the new regulations must secure “information systems and nonpublic information accessible to, or held by third parties that engage in business with the covered entity.” All policies and procedures will be required to identify and assess the risk of third parties, and ensure that third parties meet minimum cybersecurity practices—among other minimums requirements—to protect their information systems.
Governmental entities, like DFS, that draft and propose cybersecurity regulations face numerous challenges. Regulations drafted today may become obsolete tomorrow because of technological innovations and transformations. Government officials and industry must work together to create regulations fair to industry and to protect consumers.

Leonard Wills is with the U.S. Department of Homeland Security’s Federal Emergency Management Agency in Washington, D.C.

*This article neither reflects the official views of the United States government nor does the United States government endorse this article.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).