Cyber Regs for Banks & Insurers May Be Only Weeks Away

Last September, New York’s Department of Financial Services (DFS) took a major step forward in its efforts to improve the cybersecurity posture of financial institutions (including banks and insurance companies) by proposing the first-in-country cybersecurity regulations. By any measure, the proposed regulations are comprehensive and demanding, and admittedly are intended by DFS to be “groundbreaking.” The proposal contains a number of prescriptive requirements that are substantially more rigorous than current best practices and would require major operational changes for many organizations.

Key Components:

The regulations would require entities to fulfill a variety of requirements, including the establishment of a cybersecurity program, and the adoption of a cybersecurity policy, which must be approved by the board or by a senior officer, and which encompasses key risk areas including information security, access controls, business continuity, data privacy, vendor management and incident response.

The proposal would also require covered entities to designate a Chief Information Security Officer (CISO), who will be responsible for implementing, overseeing and enforcing the cybersecurity program and policy.  The CISO would be tasked with development of a report, at least bi-annually, that addresses a prescribed list of issues. The report would then be presented directly to the company’s board of directors. The board chair or a senior office would be required to submit an annual certification of compliance with the regulations, which might expose the individual to liability if the entity is in fact noncompliant.

In addition, the proposed regulations broadly define a “Cybersecurity Event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” The covered entity would be required to notify the Superintendent of Financial Services within 72 hours of any such event if it “has the reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” This begs the question of how an unsuccessful attack could ever have a reasonable likelihood of materially affecting operations or protected information. But a fair reading of the reporting mandate in light of the definition would not appear to allow for blanket disregard of failed attacks, even though major financial institutions thwart countless potentially devastating attacks on a daily basis. If this proposed requirement becomes part of the final regulation, the burden on covered entities and the DFS itself may be quite substantial.

Covered entities also would need to encrypt nonpublic information in transit and at rest. Although compensating controls approved by the CISO can be utilized if encryption is not currently feasible, the regulations would impose deadlines of January 2018 and January 2022 for encryption of data in transit and at rest, respectively. Encryption of at-rest data is likely to be one of the most challenging DFS requirements.

The proposed regulations contain many additional requirements, including the following:

– Implement a fully documented incident response plan;

– Maintain audit logs on system changes for 6 years;

– Annually review and approval of all policies and procedures:

– Timely dispose of sensitive information that is not needed to provide services;

– Use multi-factor authentication for privileged access to database servers that allow access to nonpublic information;

– Adopt policies, procedures and controls to monitor authorized users and detect unauthorized access; and

– Institute mandatory cybersecurity awareness training for all personnel.

DFS is currently reviewing comments received from the public, but it is not known if the proposed requirements will change in any material way when they go into effect on the anticipated date of January 1, 2017. Covered entities would then have only 180 days to comply with many requirements.

Concluding Thoughts:

Although large financial institutions may already have implemented a number of the mandates proposed by DFS, compliance still may be problematic for them because of the prescriptive nature of many of the components of the proposed regulations. And less mature entities would be well served to immediately focus on getting into compliance with the most basic requirements, given their virtually inevitable inclusion in the final regulations and the short deadline for compliance.

Read more by Judy Selby, here


Arrange a Conversation 


Article by channel:

Read more articles tagged: Cyber Security, Featured