Cybersecurity Rules: New York State Financial Services Requirements
Bachir El Nakib
The new cybersecurity rules proposed by the New York State Department of Financial Services require financial services institutions to have extensive cybersecurity protections in place; including cybersecurity programs, policies, personnel, risk assessments, trainings, and breach reporting within 72-hours.
As we recently reported, the New York State Department of Financial Services (DFS) issued a set of proposed cybersecurity rules for New York financial services companies (Rules), in response to the many high profile cybersecurity breaches and hacks over the past few years. The Rules set minimum standards for financial services companies in an effort to keep their sensitive financial data and systems, and their customers' personal information, safe from breach and from cybercriminals. While many financial institutions already have robust cybersecurity programs which may be similar to the minimum standards set by the Rules, the Rules will also require each institution to jump through at least a few additional hoops, such as conducting audits, regularly certifying their compliance, and appointing a Chief Information Security Officer.
Who is covered under the Rules?
The Rules apply to almost all individuals, partnerships, and corporations operating in the banking, insurance and other financial services industries within New York and regulated by the DFS. They require all entities that are operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws to meet the minimum standards set forth. See § 500.01(c). This includes state-chartered commercial banks and state-licensed branches and agencies of foreign banks.
However, the Rules include limited exemptions for smaller entities. Entities with fewer than 1,000 customers, less than $5M in gross annual revenue, and less than $10M in total assets (including affiliates) are exempt from the requirements involving the maintenance of specific cybersecurity personnel and conducting trainings, audits, and vulnerability tests. See § 500.18(a).
What do the Rules require?
When will the Rules become effective?
The Rules are set to be published in the New York State register on September 28, 2016, after which they will enter a 45-day notice and public comment period prior to final issuance. See Press Release. The Rules become effective as of January 1, 2017. See § 500.20. However, financial institutions covered by the Rules will have 180 days to comply with the new requirements. See § 500.21.
The Rules are publicized as the first of their kind in the country and initial reactions to them have varied. Some believe they will have a minimal impact on large financial services institutions which already invest heavily in sophisticated cybersecurity programs but will be most harshly felt by smaller companies, which could have to pay upwards of millions of dollars to update their cybersecurity programs to meet the minimum requirements. Others see the Rules as a welcome effort to increase the overall level of cybersecurity in critical industries that face ever-increasing risks of cybercrime and cyberterrorism. The overall effectiveness of the Rules can only be speculated at this point. However, what is likely is that other states and even the federal government may adopt similar regulations in the near future.
As for implementing the Rules, the Federal Financial Institutions Examination Council ("FFIEC") has issued extensive material on cybersecurity awareness but has not put that guidance into the form of a regulation. A covered institution might want to refer to this FFIEC guidance in implementing the Rules.