New York proposed first-of-its-kind cybersecurity regulations on Sept. 13, 2016. The proposed rules would apply only to banks, insurers, and other financial services companies regulated by the New York Department of Financial Services (“DFS”). However, the sweeping nature of the regulations and New York’s role as a banking center are likely to make the rules a model for other states.
Per the DFS, the proposed rules were prompted by the recent increase in cyberattacks on large companies and the severe threat of cyber-crime to the global banking sector. The proposed rules would require regulated institutions to, among other things:
- Implement a cybersecurity program that, at a minimum: (i) identifies external and internal cyber risks; (ii) uses defensive infrastructure to protect an organization’s information systems and sensitive information stored on such systems; (iii) detects cybersecurity events; (iv) responds to detected cybersecurity events to mitigate negative effects; (v) recovers from the cybersecurity event and restores normal operations; and (vi) fulfills all regulatory reporting obligations;
- Maintain and implement a written cybersecurity policy that sets forth the policies and procedures for protecting sensitive information and that addresses the 14 areas set forth in the proposed regulations. The cybersecurity policy must be reviewed by the board of directors;
- Designate a Chief Information Security Officer (“CISO”) responsible for implementing and enforcing the organization’s cybersecurity program and employ other cybersecurity personnel. The CISO must present a report to the board of directors on the state of the organization’s cybersecurity program at least bi-annually;
- Limit access to sensitive information on the organization’s systems solely to individuals who require access to perform their responsibilities;
- Monitor how third-party vendors collect and store customer data; and
- Encrypt all sensitive information, perform timely destruction of sensitive information, require multi-factor identification in many cases, and require personnel to attend regular cybersecurity awareness training.
There is a limited exemption for small organizations. The proposed rules are in the middle of the 45-day comment period. The regulations are set to take effect Jan. 1, 2017, unless delayed, with a 180-day transition period.
These proposed rules join the proliferation of existing cybersecurity standards that companies must navigate. While none of the requirements in the proposed rule is a new concept, there is some concern that the requirements may be too inflexible, since the rules take a one-size-fits-all approach rather than a risk-based approach to cybersecurity.
Organizations that are regulated by the DFS should start implementing these requirements in anticipation of the Jan. 1 effective date. Many speculate that other states may follow New York’s lead and propose similar regulations in the near future. Accordingly, all organizations should review the proposed regulations, compare the requirements to the organization’s current practices, and consider whether the organization should take any proactive steps to prepare for the possibility of forthcoming similar rules.