In an early November letter to members of the Financial andBanking Information Infrastructure Committee, the New YorkDepartment of Financial Services provided a broad framework ofcybersecurity standards that it intends to incorporate in newregulations for financial institutions.

The committee, which is made up of federal and state regulatorsof financial institutions, including the Federal Reserve Board, theSecurities and Exchange Commission, the Federal Deposit InsuranceCorp and the National Association of Insurance Commissioners, wasestablished after the Sept. 11, 2001 attacks to improve thereliability and security of the financial sectorinfrastructure.

While the DFS letter calls for dialogue, collaboration andregulatory convergence on cybersecurity standards for regulatedfinancial institutions, it also indicates a clear intent on thepart of DFS to move forward with regulations in this area with orwithout cooperation and collaboration from other regulators,including fellow state insurance regulators and the NAIC.

DFS regulates banks, insurance companies and other financialinstitutions that do business in New York.

Plenty of Precedent

Given New York's prominence as a financial center and DFSprecedent of applying many of its laws extraterritorially tofinancial institutions licensed in New York, rather than solely tothose domiciled in the state, the forthcoming regulations arelikely to affect a large number of financial institutions.

Further, history shows that DFS is comfortable in both being aprecedent-setter in the regulatory community (for example, itsadoption of reduced collateral requirements for reinsurers) andwith taking positions contrary to other regulators (for example,its steadfast opposition to principle-based reserving for lifeinsurers).

DFS's interest in this area is not new. Beginning in 2013, itsurveyed banks and insurers about their cybersecurity programs,costs and plans, and published reports of its findings. DFS hasalso expanded its information technology examination proceduresrelating to cybersecurity and has conducted risk assessments of thefinancial institutions subject to its regulatory oversight. In itsrecent letter, DFS described cybersecurity to be “among the mostcritical issues facing the financial world today.”

Written Policies and Procedures Required

As outlined in the letter, the regulations would requirefinancial institutions to adopt written cybersecurity policies andprocedures addressing, among other areas, information security,access controls, business continuity, network security, applicationdevelopment, vendor and third-party management, and incidentresponse protocols.

These policies and procedures would be overseen by a designatedchief information security officer, who would also be responsiblefor submitting an annual report to DFS assessing the program andthe institution's cybersecurity risks.

Prior to submission to DFS, the annual report would requirereview by the institution's board of directors. Cybersecuritypersonnel would be required to receive mandatory training and tostay abreast of changing cyber threats and countermeasures. Asdescribed, however, the regulations would not mandate participationin an information-sharing and analysis organization.

The regulations would also require multi-factor accessauthentication for all access to internal systems and data fromexternal systems, including customer access to web applicationsthat capture or display confidential information.

Additionally, the regulations will address vendors and thirdparties with access to an institution's sensitive data or systemsby mandating minimum contractual terms, including multi-factoraccess authentication, encryption of data both in transit and atrest, indemnification of the financial institution for losses andaudit rights. Further, the regulations would require annualpenetration testing, quarterly vulnerability assessments, andmaintenance of an audit trail system to track access andalterations.

Notice Required

Finally, in the event of a cybersecurity incident that has a“reasonable likelihood” of materially affecting the normaloperation of the institution, notice would be required to be givento DFS. These incidents would include the compromise of personallyidentifiable information, including personal health information,payment card information and biometric data, incidents requiringnotice under other New York laws, and incidents reported to theinstitution's board of directors.

Although the letter provides the most detailed look to date atthe way DFS intends to address cyber risks, the market will need toawait the formal proposed regulations to learn whether thestandards proposed by DFS will represent a minimum set of standardsor whether flexibility will be incorporated to take into accountthe size, resources, risks and mitigating controls of aninstitution.

It also remains to be seen how DFS will incorporate these newregulations into its existing enterprise risk management framework,and whether the regulations will extend to licensed insuranceproducers and claims adjusters.