Client Advisory: Attention Banks, Insurance Companies and Other Financial Services Institutions – Be Prepared for New Cybersecurity Rules
By: Carter Conboy
If You Are Regulated by the New York State Department of Financial Services, Be Prepared For New Cybersecurity Rules
In late September 2016, New York State proposed a rule to fight the record-high occurrence of cyber-attacks on a wide range of financial services firms. In response to the targeting of banks, insurance companies and other financial services institutions, Governor Andrew M. Cuomo and Superintendent of the New York State Department of Financial Services (“DFS”) Maria T. Vullo announced a rule (“DFS Rule” or “Rule”): “Aim[ed] to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises.” The Rule follows a survey of nearly 200 financial institutions and will apply to banks, insurance companies, and other financial services institutions regulated by DFS (“regulated institutions”).
The mandates applicable to regulated institutions are consistent with earlier mandates by the Securities and Exchange Commission applicable to regulated Investment Companies and Investment Advisers (see Cybersecurity Guidance, Division of Investment Management (April 2015) and regulations cited therein). The DFS Rule is also consistent with earlier guidance by the U.S. Department of Justice, Computer Crime & Intellectual Property Section (April 2015), namely, Best Practices for Victim Response and Reporting of Cyber Incidents. In announcing the DFS Rule, the Governor highlighted the obligation of the financial services industry to proactively address threats posed by criminal enterprises:
New York . . . is . . . taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetuated by state-sponsored organizations, global terrorist networks, and other criminal enterprises. This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.
The core elements of the proposed rule require regulated institutions to (i) formulate cybersecurity programs that ensure confidentiality, integrity and availability of information systems, (ii) adopt written cybersecurity policies, (iii) appoint a Chief Information Security Officer who regularly reports to boards, and (iv) formulate policies applicable to third-party service providers regarding treatment of confidential, nonpublic, information.
More specifically, regulated institutions are required to establish a cybersecurity program that identifies cyber risks and protects against unauthorized access or use of confidential data; as well as, a program that detects, responds to, and recovers from cyber events. This written policy must, among other things, classify data, monitor network performance and security, and provide for incident response and disaster recovery planning. Moreover, a Chief Information Security Officer (“CISO”) will oversee the cybersecurity program and report to the board at least bi-annually. This aspect of the Rule is significant inasmuch as it codifies the requirement that board members be made aware of system risks and vulnerabilities, and exposes regulated institutions and board members to potential liabilities when a cyber breach occurs as a result of failing to comply with the DFS Rule.
The DFS Rule also requires regulated institutions to have policies and procedures in place applicable to third-parties, with access to confidential, nonpublic, information, regarding risk assessment, cybersecurity practices, due diligence processes, and periodic assessment of the adequacy of third-party cybersecurity protocols. Separately, the DFS Rule has certain encryption requirements concerning confidential, nonpublic, data.
The escalating frequency of cyber incidents as they relate to regulated financial institutions has prompted federal, and now state, regulatory entities to promulgate rules mandating risk assessment of systems and networks, the prioritization of nonpublic data and the security associated with same, the proactive hardening of systems against intrusion, and reports by CISOs to boards, all, in advance of a cyber breach.
The entry of DFS is significant considering its regulatory oversight of New York’s banking, insurance and other financial services institutions, and its demonstrated willingness through very visible enforcement cases to take enforcement action regarding same. The Rule not only mandates policies designed to mitigate risk, but also mandates bi-annual reports to boards. In so doing, the Rule puts the onus on boards to ensure that cybersecurity policies are in place and to be kept abreast of deficiencies and vulnerabilities.
What are you doing to ensure you are prepared and in compliance? If you are not in compliance or prepared to be, or have questions relevant to the application of this new rule, seek the appropriate advice of legal counsel.
Thomas A. Capezza is a Director at Carter Conboy. He practices in the areas of Technology, Cybercrime and eDiscovery, White Collar Litigation and Investigations, Corporate Governance and Investigations, and Civil Rights and Governmental Law. He has nearly 20 years of criminal and civil investigatory and litigation experience, including eight years as an Assistant U.S. Attorney with the Criminal Division of the U.S. Attorney’s Office, Northern District of New York (Albany); three years as an Assistant U.S. Attorney with the Civil Division of the U.S. Attorney’s Office, Eastern District of Michigan (Detroit); three years as Enforcement Counsel with the U.S. Securities and Exchange Commission (NYC); and four years as an Assistant District Attorney with the Suffolk County District Attorney’s Office. Additionally, he has nearly five years of executive experience as the General Counsel to the New York State Police. Mr. Capezza can be reached at 518-465-3484 and firstname.lastname@example.org.
This Client Advisory is provided as a courtesy to the clients of Carter Conboy. It provides general information and is not intended as legal advice and does not create an attorney-client relationship between Carter Conboy and the reader. Should the reader desire additional information about the content of this Advisory and/or its application to a particular circumstance, please contact attorney Thomas A. Capezza.