Keywords: Cybersecurity standards, DFS, FBIIC, new regulations

Following up on its promises to "move forward on regulations strengthening cybersecurity standards for banks' third-party vendors" and to "expand its information technology examination procedures to focus more attention on cybersecurity" the New York State Department of Financial Services ("DFS") issued a letter on November 9, 2015, to the Financial and Banking Information Infrastructure Committee ("FBIIC") announcing that the DFS is considering proposing new regulations to establish cybersecurity standards for financial institutions and inviting key federal and state regulators to collaborate in creating these "new, strong cybersecurity standards." The FBIIC is a coordinating body compromised of the key federal and state banking, insurance, and securities regulatory agencies.

In the letter, the DFS emphasizes that "a company may have the most sophisticated cybersecurity protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective." This letter is the latest cybersecurity initiative by the DFS and demonstrates its continuing concerns about this topic. In March 2015, the DFS issued a letter to chief executive officers, general counsels and chief information officers of approximately 160 insurance companies informing them that the DFS has expanded its information technology examination procedures to focus more attention on cybersecurity.1 In an April 2015 update to its earlier report on bank third-party services providers, the DFS had noted that, of the 40 banks surveyed for the report, fewer than half conducted any on-site assessments of their third-party vendors and nearly half did not require a warranty of the integrity of the third-party vendor's data or products.2

The November 9 letter provides an outline of topics and requirements that the DFS intends to address in its cybersecurity rulemaking proposal and invites feedback from the members of the FBIIC. It is possible that a number of the FBIIC regulators will provide some input to the DFS, although much of it may occur outside of the public domain. While the DFS has sought input from the FBIIC, New York-licensed financial institutions should anticipate that the DFS will proceed on its own initiative and timeline. As discussed in the letter, the DFS remains particularly concerned by the increasingly sophisticated nature of cybersecurity threats, third-party service providers as a potential point of entry for hackers and the scale and breadth of the most recent breaches and incidents. Potential regulations by the DFS would establish specific requirements in the following area:

Cybersecurity Policies and Procedures. Implementation and maintenance of written cybersecurity policies and procedures that address the following areas: (i) information security; (ii) data governance and classification; (iii) access controls and identity management; (iv) business continuity and disaster recovery planning and resources; (v) capacity and performance planning; (vi) systems operations and availability concerns; (vii) systems and network security; (viii) systems and application development and quality assurance; (ix) physical security and environmental controls; (x) customer data privacy; (xi) vendor and third-party service provider management; and (xii) incident response, including by setting clearly defined roles and decision making authority.

Management of Third-Party Service Providers. Implementation and maintenance of policies and procedures to ensure the security of sensitive data and systems that are accessible to, or held by, third-party service providers, including internal requirements for the following minimum preferred terms for contracts with third-party service providers: (i) use of multi-factor authentication to limit access to sensitive data and systems; (ii) use of encryption to protect sensitive data in transit and at rest; (iii) notice to be provided in the event of a cybersecurity incident; (iv) indemnification of the entity in the event of a cybersecurity incident that results in loss; (v) ability of the entity or its agents to perform cybersecurity audits of the third-party vendor; and (vi) representations and warranties by the third-party vendors concerning information security.

Multi-Factor Authentication. Implementation of multi-factor authentication for both internal and external access.

Chief Information Security Officer ("CISO"). Appointment of a qualified employee to serve as the CISO and employment and training of personnel adequate to manage the entity's cybersecurity risks and perform the core cybersecurity functions of identify, protect, detect, respond and recover.

Application Security. Implementation and maintenance of written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.

Audit. Performance of annual penetration testing and quarterly vulnerability assessments and maintenance of an audit trail system.

Notice of Cybersecurity Incidents. Notice to the DFS of any cybersecurity incident that has a reasonable likelihood of materially affecting the normal operation of the financial institution, including any cybersecurity incident that: (i) triggers certain other notice provisions under New York Law; (ii) results in notification of the entity's board; or (iii) involves the compromise of "nonpublic personal health information" and "private information" as defined under New York Law, payment card information or any biometric data.

Because of the attention financial services industry regulators are giving cybersecurity issues, we anticipate similar proposals to be introduced at the federal level, and potentially by other state regulatory agencies. This may result in the DFS cybersecurity proposal becoming the new standard for the financial services industry.

While the DFS is only requesting comment from other regulatory agencies at this point, we would expect many of these requirements to be implemented through rulemaking in 2016. It is unclear to what extent the proposals contemplated by the DFS will dovetail with existing requirements that impose, risk assessment, governance and notice obligations on financial institutions. New York state-chartered banks, branches and agencies of foreign banks and insurance companies should review the points above and consider ways to proactively address these areas of concern.

Originally published November 23, 2015

Footnotes

1. Letter from Benjamin M. Lawsky (March 26, 2015); available at http://www.dfs.ny.gov/about/letters/ltr150326_cyber.pdf.

2. DFS, "Update on Cyber Security in the Banking Sector: Third Party Service Providers" (April 9, 2015), available at http://www.dfs.ny.gov/reportpub/dfs_rpt_tpvendor_042015.pdf. See also, DFS, "New Cyber Security Examination Process" (Dec. 10, 2014), available at http://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf.

Learn more about our Cybersecurity & Data Privacy, Financial Services Regulatory & Enforcement and Insurance practices.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2015. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.