New York’s state banking regulator this week issued proposed cybersecurity regulations in a historic move that would require financial institutions to bolster virtual protections and training, more quickly report breaches and designate a top cyber officer to manage the program.
The proposed New York State Department of Financial Services (NYDFS) regulations are an acknowledgement of the ever-increasing aggressiveness of cyber threat actors in recent years – a collection of organized criminal networks, foreign nation-state spies and idealist hacktivists – that have pierced many of the largest companies, banks and government agencies in the United States, including Home Depot, JPMorgan and the Office of Personnel Management.
The new rules, crafted to protect the “financial capital of the world,” also come on the heels of the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) guidance last week calling on the country’s banks to improve convergence across anti-money laundering (AML) cybersecurity, fraud and risk management units to better uncover email compromise attacks.
The regulations, if finalized, would implement a requirement that banks have a 72-hour deadline to tell the NYDFS of any material data breaches. The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.
In New York, there are a wide range of banks with varying degrees of cybersecurity savvy, meaning some may absorb and implement the requirements with little fanfare, while others could struggle mightily, said Jorge Guerrero, chief executive office of Austin, Tx.-based Optima Compass Group, a financial crime compliance consultancy.
“Some smaller banks don’t even have a tech person in house,” he said. “They outsource information technology and cybersecurity duties and outsource the responsibility as well. But these proposed rules required an internalization of that responsibility. meaning someone at the bank has to be well-versed on the controls that need to be applied and the contextual subject matter and knowledge.”
As well, this is the second time in three months New York has gone beyond federal financial crime compliance requirements.
The prior initiative, which focused on AML systems, data and decision-making, also has several parallels to the new cyber protocols. Those regulations included requirements to risk assess and test systems and ensure that a top compliance person, or the board itself, is accountable for the overarching functioning of the program, as well as any lapses.
In June, the NYDFS released new rules on the creation, testing and updating of transaction monitoring and sanctions screening systems, but compromised on a proposal that would have required chief compliance officers (CCOs) in writing to “certify” the effectiveness of these systems in stopping financial crime.
After industry pushback, the New York regulator relented, making many changes large and small from the proposal to the final rule. The largest pivot was making the certification by the CCO optional as the initiative could also be approved by the board, and changing the certification itself to a “compliance officer finding.”
New York leading nation on countering cyber criminals
“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Andrew Cuomo, in a statement.
“This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible,” he said in the statement.
New proposed cyber rules require banks and other regulated financial institutions to:
- Establish a cybersecurity program and related written policies.
- Designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy.
- Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties.
- Protect the confidentiality, integrity and availability of information systems.
- Annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that address such risks.
For some banks, either proactive mid-size operations or larger, international banks, the new cyber rules may not be backbreaking challenge, said a compliance officer at a large bank in Texas.
“We already have that in place,” said the person, adding that regulators had requested more formal cyber protections and a designated CISO roughly two years ago. The bank was able to comply due to a flexible and supportive board already primed on the dangers and remediation costs of AML failures.
But where banks in New York could face a high hurdle in actually finding a CISO “qualified enough to understand the program and then identify what the banks needs to get their cybersecurity program up to speed, along with getting senior management and board buy-in,” said the person, who asked not to be named.
“That person also must take ownership and accountability of all of that,” said the person. “That is a lot, especially when you consider the liability issues happening in the AML world,” and with the understanding that the AML world is bleeding more into the cyber realm with the FinCEN guidance requiring more cross training of financial crime compliance staff.
What are the key parameters of New York’s new proposed cybersecurity regulations? Here are some excerpts from the rules:
Establishment of a Cybersecurity Program
Regulated financial institutions will establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:
- Identification of cyber risks.
- Procedures to protect unauthorized access/use or other malicious acts.
- Detection of cybersecurity events.
- Responsiveness to identified cybersecurity events to mitigate any negative events.
- Recovery from cybersecurity events and restoration of normal operations.
Adoption of a Cybersecurity Policy
Regulated financial institutions must adopt a written cybersecurity policy for the protection of their information systems and nonpublic information addressing:
- Information security, data governance and classification and customer data privacy.
- Access controls and identity management.
- Business continuity and disaster recovery planning and resources.
- Capacity and performance planning.
- Systems operations and availability, network security and monitoring.
- Systems and application development and quality assurance.
- Physical security and environmental controls.
- Vendor and third-party service provider management.
- Risk assessments.
Chief Information Security Officer
Regulated financial institutions shall designate a qualified individual to serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program. The CISO must report to the board, at least bi-annually, on the health of the program, material events and current or planned remediation efforts.
Third-Party Service Providers
Regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include risk-assessments of the third-parties, documentation of due diligence and annual updates.
Each cybersecurity program shall include the following:
- Annual penetration testing and vulnerability assessments.
- Implementation of an audit trail system to reconstruct transactions and log access privileges.
- Limitations and periodic reviews of access privileges.
- Written application of security procedures, guidelines and standards, updated annually.
- Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
- Employment and training of cybersecurity personnel on changing threats and countermeasures.
- Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
- Timely destruction of nonpublic information that is no longer necessary.
- Monitoring of authorized users and cybersecurity awareness training for all personnel.
- Encryption of all nonpublic information held or transmitted for between one and five years.
- Written incident response plan to respond to, and recover from, any cybersecurity event.
As accountability rises, so must salaries
Prior to proposing this new regulation, the NYDFS “surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime,” according to the regulator.
Additionally, it met with “a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors,” to fine tune the new rules.
The findings from these surveys led to three reports which helped to inform the rulemaking process.
“DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs,” said New York State Department of Financial Services Superintendent Maria Vullo, in a statement.
“Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks,” she said.
But getting someone of that caliber on staff, particularly someone who understands the banks’ particular products, access points and geographic risks, could be a financial impossibility, Guerrero said.
“The salary demanded by the right cyber officer might be higher than the bank’s plans,” he said. Not having the available budget to hire a senior cyber officer “will make complying with the new rules a steep hill to climb, particularly for smaller banks. Larger and mid-size banks may be in a better position. Those who can afford to pay the most will get the top talent.”