A proposed New York State regulation that establishes minimum cybersecurity requirements for financial institutions goes into effect March 1, 2017.
A proposed New York State regulation that establishes minimum cybersecurity requirements for financial institutions goes into effect March 1, 2017.

The New York State Department of Financial Services (DFS) on Wednesday released a revised draft of an ambitious regulation designed to protect the state and its citizens from cyberattacks against financial institutions.

Described as the first of its kind in the U.S., the proposed regulation requires banks, insurance companies and other financial services institutions overseen by DFS to develop a cybersecurity program – as well as a written policy – that protects the integrity and privacy of confidential data, including personally identifiable information.

Officially known as 23 NYCRR 500, the regulation has been updated to clarify several stipulations imposed by the original draft, as well as to relax some of the stricter provisions that came under critique from interested parties, including banking and insurance trade associations.

According to a credible source, the newer version requires that regulated entities notify the DFS of an incident within 72 hours of determining that a cyberevent has transpired, whereas the older version required notification within 72 hours of when the incident actually took place – an impossible demand, as organizations are often unaware they have been attacked until much later. (A second source said that the newer version merely clarifies that the DFS must be notified within 72 hours of an incident's discovery, but only after determining that the event meets two specific criteria: one, it requires governmental notice as a matter of law; and two, it has a reasonable likelihood of causing material harm.)

Additionally, the DFS's revised policy staggers the timetable for affected organizations to implement various requirements, creates a small-business exemption, narrows the definition of nonpublic information, requires risk assessments be performed periodically instead of annually, offers entities additional access-control options beyond multifactor authentication, and adjusts the volume and content of information that CISOs must report to their board of directors.

The DFS also pushed back implementation of the regulation by two months, meaning the policy will now go into effect on March 1, 2017, instead of Jan. 1. Barring further changes, affected organizations must meet their first compliance requirements within 180 days of the regulation's effective date, and must submit their first annual certification to the DFS by Feb. 15, 2018. 

The revised regulation is now subject to a 30-day comment period. Michael Smith, president and CEO of the New York Bankers Association (NYBA), noted in a statement that his organization is "currently reviewing the revised cybersecurity regulations released by the Department of Financial Services, and may consider submitting additional comments. The New York Bankers Association submitted extensive commentary on the original proposal and was pleased that the Department considered the industry's feedback as part of the regulatory process.”

Edward McAndrew, a partner at law firm Ballard Spahr, said in an interview with SC Media on Thursday, that the revised, proposed regulations are a substantial improvement over the initial version released in September. 

“Although still much more prescriptive than what we've seen out of other regulators, the revised regulations are now more flexible and tied more closely to each organization's particular risk assessment,” said McAndrew, who serves as co-leader of his firm's Privacy and Data Security Group. “That said, they have teeth and will require substantial investment of time and resources to ensure initial and ongoing compliance. As with other types of regulations, initial implementation will be most difficult for small and mid-size organizations, while risk assessments, cyber event notifications and certifying compliance each year will require much effort by organizations of all sizes.”

The regulation sets forth a wide range of requirements, instructing financial organizations to appoint a CISO (although they do not have to apply that specific title), conduct penetration testing and vulnerability assessments, establish access control policies, create guidelines for application security, conduct risk assessments, encrypt private information, practice responsible data retention and formulate incident response plans, among other directives.

McAndrew believes that the DFS looks to have created a “viable legal model” that could set a precedent for other jurisdictions to copy. “I fully expect other states to follow suit with similar regulations both in the financial services and other industries,” said McAndrew.

“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” remarked Maria Vullo, New York Financial Services Superintendent, in a press release. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”