New York takes tough stance on financial cyber securityReprints
Many financial institutions are preparing for implementation of the comprehensive cyber security regulation expected to be issued by the New York Department of Financial Services, but some entities, particularly smaller ones, may struggle with compliance.
The proposed New York regulation, which applies to banks, insurers and other financial services institutions, requires entities to establish and maintain a cyber security program to protect consumers and ensure the industry’s safety.
Implementation was originally scheduled for Jan. 1, according to the proposal, with a 180-day transitional period, but a revised proposal was scheduled to be released late last month, to be followed by a 30-day comment period.
The proposal would require regulated financial institutions to establish a cyber security program, adopt a written cyber security policy and designate a chief information security officer, and has detailed provisions with respect to third-party vendors, among other provisions.
The larger institutions already have more resources and are better prepared to deal with it than those who are going to have to build additional infrastructures to provide monitoring and reporting and similar responses, said Jacqueline Geiger, managing director and financial institutions practice leader with Aon Risk Solutions in New York.
However, “There’s a very low percentage who would say they are completely prepared,” particularly with regard to the regulation’s more stringent requirements, she added.
“In terms of degree of difficulty, it’s going to depend on the size and relative maturity of the covered entities,” but even some of the larger banks or other financial institutions will have difficulty with some of its provisions, said Thomas Fuhrman, Washington-based global leader of cyber security consulting and advisory services at Marsh Risk Consulting.
“Many institutions are not ready for this,” said Elizabeth K. Hinson, an associate with Nelson Mullins Riley & Scarborough L.L.P. in Columbia, South Carolina.
“For example, this regulation requires report of a breach within 72 hours of the breach, and in order for this to happen a company needs to have in place a formalized instant response plan,” Ms. Hinson said.
Gamelah Palagonia, senior vice president and cyber risk specialist with Willis North America in New York, called it “the most prescriptive regulation thus far.” “It absolutely outlines every step of the way for financial institutions” and is “pretty much in line” with the standards recommended by the National Institute of Standards and Technology, but “it will be expensive and complex for financial institutions to comply” with it, she said.
The regulation “contains some very specific demands that go beyond” other regulations, including those related to nonpublic information, where the terms are defined very broadly, said Ms. Hinson.
In fact, the requirement that firms hire chief information security officers has created a demand that has led, in some instances, to financial institutions paying their CISOs more than they do their CEOs, said Aaron K. Tantleff, a partner with Foley & Lardner L.L.P. in Chicago. “You can imagine how that goes over in an organization,” he said.
Experts say the regulation is expected to be influential nationally.
Timothy J. Toohey, a partner with Greenberg Glusker Fields Claman & Machtinger L.L.P. in Los Angeles, said it appears “certain states are going to take a more proactive role regarding cyber issues and other issues.”
And New York, where much of the financial services industry is based, “has a heavier stick in this particular area than a lot of other states could have,” he said.
“It’s likely that the New York set of regulations will be something of a road map” for other states, said Timothy Monahan, Washington-based claims counsel with Lockton Cos. L.L.C.s’ financial services group.
Mr. Monahan said he does not anticipate the cyber rule will dramatically affect insurance.
“Many underwriters writing cyber security insurance for financial institutions are already asking a lot of questions about how they are addressing this issue and the type of procedures they have in place, similar to what New York has put into their regulation,” he said.
Major provisions of the proposed New York State Department of Financial Services’ cyber security regulation as of late-December include:
• Financial institutions, which include banks and insurers, must establish a cyber security program and written policy.
• The cyber security policy must be reviewed by the institution’s board of directors and approved by a senior officer at least annually.
• Financial institutions must designate a qualified chief information security officer, responsible for implementing, overseeing and enforcing its program and policy, who must file a report with the board of directors at least biannually.
• Each financial institution must have written policies with respect to information held by third-party vendors, and nonpublic information must be encrypted both while it is in transit and at rest.
• The institution must notify the Department of Financial Services’ superintendent of a possible cyber security event no later than 72 hours after becoming aware of it.
• The cyber security program must maintain audit trail systems.
• Financial institutions must submit a certificate of compliance annually to the department’s superintendent beginning Jan. 15, 2018.
• Smaller financial institutions, including those with fewer than 1,000 customers, are exempt.
Meanwhile, on the federal level, the Federal Reserve System’s Board of Governors, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. in October issued a joint advance notice of rule-making on cyber security for major financial institutions with at least $50 billion in assets and are seeking comment by Jan. 17.
Observers say the proposed rule is more principles-based than the more detail-oriented New York regulation.
They say it is unclear what effect the Trump administration will have on the proposed rule.