New Cybersecurity Rules May Apply Imminently to a Wide Range of Financial Services Firms in New York State
On September 13, 2016, the New York State Department of Financial Services (the DFS) proposed regulations (the Proposal) that would require a broad set of financial services firms that are licensed, or otherwise have been granted operating privileges, by the DFS (Covered Entities) to adopt and maintain a cybersecurity program and corresponding cybersecurity policies and procedures. The DFS previously announced its intention to scrutinize cybersecurity as an integral part of its bank examinations, but this Proposal reaches further than would have been expected, including by requiring Covered Entities annually to certify compliance with the prescribed cybersecurity protections.
The DFS is inviting comments on the Proposal for a period of 45 days after its publication in the New York State Register. All comments must be submitted to the DFS by November 11, 2016. The Proposal is expected to be incorporated into final regulations that would be effective as of January 1, 2017, less than four months after its release,1 and firms subject to the final regulations generally would be given 180 days thereafter to come into full compliance.
Background
Although New York State has not yet adopted general data security legislation, a number of other states have adopted such laws in recent years in an effort to bolster the protection of nonpublic personal information stored and transmitted by businesses and state and local government agencies. For entities that it covers, the Proposal would go beyond these other states’ efforts by subjecting those entities to, arguably, the most extensive cybersecurity requirements yet adopted by any state legislature or agency.
The technical requirements of the Proposal are not inconsistent with other cybersecurity standards applicable to financial institutions, such as the information security standards established by the federal banking agencies, as described in the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook, but the Proposal does so by rule, rather than guidance, and is unique in demanding a level of cybersecurity “success” in implementing such technical measures. In so doing, the Proposal places what many may consider an unrealistic and intolerable level of liability risk on Covered Entities and their executives.
Further, like the DFS’s recently adopted final rule requiring New York-chartered financial institutions to bolster their anti-money laundering (AML) programs (the DFS’s AML Rule), as described in Arnold & Porter’s related Advisory, the Proposal could result in significant additional costs for the firms to which it applies (including costs beyond those that will be required to comply with the DFS’s AML Rule) and would provide the DFS with increased enforcement powers.
Covered Entities
The Proposal would apply to “Covered Entities,” to be defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law [the NYBL], the insurance law or the financial services law [of New York State].”2 This definition would cover bank and insurance holding companies operating under the DFS’s authorization but leaves unclear the extent to which firms that sought approval to begin their operations in New York State, such as through an acquisition, would be considered to “operate under” the State’s financial services laws.3 Notably, although the Proposal has no exemption for financial services firms with only ancillary ties to New York, it would regulate primarily enterprise-wide functions—a potential mismatch between the Proposal’s jurisdictional hook and its practical impact. There is even an interpretation of the Proposal that would subject to its requirements out-of-state-banks that apply to establish New York State branches. The reach of the Proposal, therefore, would be broader than that of the DFS’s AML Rule—which will apply only to so-called bank regulated institutions (that is, certain New York-chartered banking institutions, along with New York-licensed branches and agencies of foreign banking corporations) and nonbank regulated institutions (that is, only check cashers and money transmitters licensed under the NYBL).
Firms that would be considered Covered Entities, or that are concerned that they may be considered Covered Entities, should consider submitting a comment on the Proposal seeking clarity regarding its scope or requesting any exemptions that they believe would be appropriate.
Elements of the Proposed Rules
Cybersecurity Program. Covered Entities would be required, under the Proposal, to establish a cybersecurity program “designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”4 Under its program, the Covered Entity would be required to perform five core cybersecurity functions: (1) identify cyber risks to Information Systems and nonpublic information (NPI);5 (2) implement policies and procedures to protect Information Systems and the NPI stored on it from unauthorized access or other malicious acts; (3) detect Cybersecurity Events (as defined below); (4) respond to and mitigate the adverse effects of identified Cybersecurity Events; and (5) recover from Cybersecurity Events and restore normal operations and services. Cybersecurity programs also would be required to include the following features:
- penetration testing (at least annually) and vulnerability assessments (at least quarterly);
- an audit trail system that tracks and maintains the data necessary to reconstruct financial transactions and log access privileges;
- limitations on access privileges;
- written security procedures, guidelines and standards for all internal and external applications;
- an annual risk assessment of Information Systems, to be conducted in accordance with the Covered Entity’s policies and procedures and to include specified criteria;
- employment and training of cybersecurity personnel and mandatory cybersecurity awareness training for all personnel;
- multi-factor authentication for individuals accessing internal systems from an external network and for those who have privileged access to database servers or NPI; risk-based authentication for accessing web applications that capture, display, or interface with NPI; and support for multi-factor authentication for any individual using such applications;
- limitations on data retention, including policies for the timely destruction of NPI that is no longer necessary for the Covered Entity’s provision of product or services (except where otherwise required by law);
- risk-based policies and procedures for monitoring authorized users;
- encryption of all NPI held or transmitted by the Covered Entity (with some allowance for interim, alternative compensating controls); and
- a written incident response plan designed to respond promptly to any Cybersecurity Event.
While many of these program features can be appropriate additions to a firm’s cybersecurity strategy, the Proposal would leave relatively little room for practical judgments regarding what features are suited to the various circumstances facing the firm.
Written Cybersecurity Policy. The Proposal would require Covered Entities to adopt a written cybersecurity policy that sets forth their policies and procedures for the protection of Information Systems and NPI. The policy would be required to be reviewed by the Covered Entity’s Board of Directors and senior management and would be required to address, at minimum, 14 prescribed areas.6
Chief Information Security Officer. The Proposal would require Covered Entities to designate a qualified individual to serve as its Chief Information Security Officer (CISO). The CISO would be responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO would also be required to report to the Covered Entity’s Board of Directors, at least bi-
annually or as the DFS may require, retrospective, current, and prospective information regarding the Covered Entity’s cybersecurity posture.7
Third-Party Service Providers. The Proposal also would require Covered Entities to implement policies and procedures designed to ensure the security of Information Systems and NPI accessible to, or held by, third parties. Such policies and procedures would be required to include identification and risk assessment processes, minimum cybersecurity practices standards, due diligence processes, periodic assessments, and establishment of preferred contractual provisions. Covered Entities also would need to obtain representations and warranties from their third-party service providers that the service (or product) provided is “free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information.” Many vendors would hesitate to make such categorical representations, and almost none could reliably guarantee that they remain true.
Cybersecurity Event Notification. The Proposal would require Covered Entities to notify the DFS within 72 hours of becoming aware of any Cybersecurity Event that has a “reasonable likelihood” of materially affecting the normal operation of the Covered Entity or that affects NPI.8 The Proposal’s definition of “Cybersecurity Event” is extremely broad: “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” It seems inconceivable that the DFS realistically could expect to be notified of each “attempt, successful or unsuccessful,” that could be made to access, disrupt or misuse an Information System or the information stored in it—let alone to make sufficient use of such data to justify the corresponding reporting burden. For firms with multistate operations, it is even more difficult to imagine how all such attempts on its Information Systems, regardless of geography or significance, could serve the DFS’s regulatory purposes. Such attempts occur multiple times per day at many firms, so the DFS almost certainly will need to adopt a narrower definition (or interpretation) of “Cybersecurity Event” if it expects to make the notification requirement meaningful.
Certification of Compliance. As noted, the Proposal would require that Covered Entities, through either their Boards of Directors or senior management, prepare and submit to the DFS an annual certification of compliance, beginning in January 2018.
Limited Exception. The Proposal would provide a limited exemption from certain requirements for any Covered Entity with fewer than 1,000 customers in each of the last three years, less than US$5 million in gross annual revenue in each of the last three years and less than US$10 million in total assets (including the assets of affiliates). This limited exemption, however, would not extend to the core requirements of adopting and maintaining a cybersecurity program and corresponding cybersecurity policies—nor to the annual certification requirement—and provides no relief for midsize institutions. Unlike the FFIEC Information Technology Examination Handbook, the Proposal does not expressly recognize that larger, more complex institutions require more sophisticated information security programs than their midsize and less complex peers.9
Considerations for Covered Entities
The Proposal may impact the compliance costs of Covered Entities significantly. Smaller firms, and those not presently subject to examination by federal banking agencies, may find compliance to be even more costly, because the burdens of adding personnel and allocating the resources necessary to develop the information security infrastructure that the Proposal would require may be more pronounced for such firms. In addition, depending on their internal systems and the scope of any final regulations, larger firms with relatively minor ties to New York State may be able to comply with the Proposal only through large, enterprise-wide investments that could exceed their expected income from their New York State activities.
Coupled with the DFS’s AML Rule, the Proposal presages substantial expense associated with chartering and regulation in New York State. Both the Proposal and the DFS’s AML Rule include provisions requiring an annual certification of compliance to be submitted by an institution’s board of directors or a senior officer (or senior officers). Not only do these requirements impose the additional burden on a senior officer (or senior officers) with actual knowledge of the enterprise’s compliance systems and controls, but they also present the potential for personal liability for any certifying officer (and possibly, directors on a certifying board).
In our experience, new compliance burdens such as this, and the associated heightened institutional and personal liability risk, may lead some financial firms to consider strategic alternatives allowing the firm to maintain relationships with its New York-based customers while removing the firm’s operations from the enforcement jurisdiction of the DFS. For insured depository institutions, such strategic alternatives include:
- converting from a New York charter to a national bank charter; and
- relocating a Covered Entity’s headquarters to another state, such as New Jersey or Connecticut, and converting to the new home state’s charter.
Compliance burdens, however, are only one consideration among many others that also should guide a financial firm’s chartering and headquarters decisions, such as the applicable jurisdictions’ overall statutory, regulatory schemes, and enforcement philosophy, as well as the firm’s business goals. Regulations like the Proposal also can affect competitive balance in an industry by increasing costs based on where an institution is chartered or licensed. Moreover, while the Proposal would be unique at the time of its adoption, other states may follow suit if the Proposal is seen as successful at protecting customers and focusing Covered Entities on cybersecurity risk management.
* * * *
Arnold & Porter’s financial services team handles some of the most significant matters affecting the financial services industry and participates in state and federal financial rulemaking and other regulatory proceedings, as well as in a variety of cybersecurity matters, including internal investigations, defense of enforcement actions and civil and criminal litigation, development and documentation of compliance programs, public policy issues, and regulatory counseling. Our cybersecurity team includes former federal prosecutors as well as former senior officials from the intelligence agencies, the US Department of State, and the US federal banking agencies.
*Robert Fischbeck contributed to this article. He is a Stanford Law School graduate employed at Arnold & Porter LLP. Mr. Fischbeck is not admitted to the bar.
-
The DFS’s AML Rule (as defined below), by contrast, will be effective 13 months after its proposal.
-
New York State’s financial services law was created in 2011, in connection with the consolidation of the State’s Insurance and Banking Departments. The financial services law primarily addresses DFS organizational administrative, and procedural matters, but also governs emergency medical services and surprise bills.
-
Financial services firms required to be authorized in New York State solely under laws other than the NYBL, the insurance law, and the financial services law, such as many New York broker-dealers, would not be subject to the Proposal. Persons that are subject to New York financial services laws, but who are not required to be, and are not, licensed or otherwise granted operating privileges by the DFS are also outside the Proposal’s scope.
-
“Information Systems” would include any “discrete sets of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”
-
The Proposal’s definition of NPI would broadly cover various types of personally identifiable information that might be considered confidential or “sensitive” but would exclude “any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.”
-
The minimum prescribed areas are (1) information security; (2) data governance and classification; (3) access controls and identity management; (4) business continuity and disaster recovery planning and resources; (5) capacity and performance planning; (6) systems operations and availability concerns; (7) systems and network security; (8) systems and network monitoring; (9) systems and application development and quality assurance; (10) physical security and environmental controls; (11) customer data privacy; (12) vendor and third-party service provider management; (13) risk assessment; and (14) incident response.
-
Specifically, the CISO would be required to provide an assessment of the confidentiality, integrity, and availability of the Covered Entity’s Information Systems; any exceptions to the Covered Entity’s cybersecurity policies and procedures; existence of any cyber risks; an assessment of the effectiveness of the Covered Entity’s cybersecurity program; any proposals for remediation of identified deficiencies; and a summary of all material Cybersecurity Events that affected the Covered Entity during the time period addressed in the report.
-
This provision would add to existing security breach notification requirements under Section 899-aa of New York’s General Business Law and under guidance adopted by the federal banking agencies regarding response programs for unauthorized access to customer information.
-
Indeed the only time the Proposal uses the word “appropriate” is to describe interim substitutes for encryption controls.