“If we’re going to be connected, then we have to be protected.”
– President Obama, visit to Federal Trade Commission, January 2015
Take a look at the recent headlines; if not weekly, then monthly, we hear of another cyber attack on a financial institution, insurer, government agency or political campaign. More and more these attacks are exposing America’s cybersecurity vulnerabilities. That’s our new norm – a world that is increasingly more susceptible to cyber attacks.
Just as risks and cyber threats are expanding, both the public and private sectors are seeking more aggressive measures to combat this growing threat. The private sector is working on enhancing their defenses by instituting formal programs, adopting best practices, educating their staff and developing detailed response plans. On the public side, state and federal regulators are issuing formal cybersecurity requirements to replace recommended guidance and expanding examinations of companies’ cybersecurity readiness. The new rules also try to address growing concerns of breaches originating from third-party vendors.
This article will focus on the proposed cybersecurity regulation issued by New York’s Department of Financial Services (DFS) in September of this year, summarized in an overview here. The regulation is expected to serve as the model for other states to follow in issuing their cybersecurity regulations. DFS first conducted surveys and discussions with experts on increasing cyber threats resulting in three reports (May 2014, February 2015 and April 2015). DFS then used these reports to draft the proposed rule, which adopts a number of requirements that already exist in regulatory guidance, such as:
- adoption of a formal cybersecurity program,
- establishment of a cybersecurity policy,
- designation of a Chief Information Security Officer,
- completing assessments and monitoring and testing measures,
- delivering training and
- inclusion in incident response planning.
But before we delve into New York’s proposed rule, keep in mind that other regulators are not sitting idle on this issue. Here’s a quick summary of some their efforts in the past year:
The Federal Financial Institutions Examination Council (FFIEC) issued a reminder to financial institutions to assess their risk management practices and controls over information technology and to consider existing guidance from the FFIEC:
- Information Security,
- Business Continuity Planning,
- Outsourcing Technology Services and
- Wholesale Payment Systems booklets.
The Commodity Futures Trading Commission (CFTC) approved a set of rules that will require frequent testing of information technology at U.S. commodities and derivatives firms, including exchanges and clearinghouses. Key elements of the rules include specified cybersecurity testing, minimum testing frequency, use of independent contractors, testing scope and internal reporting, review and remediation.
The Securities and Exchange Commission (SEC) Chair Mary Jo White appointed Christopher Hetner to serve as her senior adviser on cybersecurity.
The Federal Energy Regulatory Commission issued new rules directing the North American Electric Reliability Corporation, the regulatory authority responsible for assuring the reliability of North America’s power grid, to develop new standards covering key security areas such as:
- third-party vendor risk management and
- the cybersecurity of control centers used to monitor and control the bulk electric system in real time.
The Department of Health and Human Services’ Office for Civil Rights instituted a new cybersecurity audit program for health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA).
DFS Proposed Regulation
So, why should legal, compliance and information security officers take note of this proposed regulation? The proposed regulation will set precedence for other states to follow and in some cases does expand on existing requirements as discussed further below.
Who is subject to the regulation? Per the proposal, the rule would apply to all covered financial institutions, which the rule defines as:
Any persons (individual, partnership, corporation, association or any other entity) licensed/registered/chartered, required to be or subject to other registration requirements (e.g., permit) under New York banking, insurance or financial services laws.
Banks, insurance companies and investment companies need to comply (with a limited exception for small organizations). But so would third-party service providers, who are not ordinarily subject to the DFS, and service organizations that are. They will need to comply with proposed requirements to have policies and procedures in place to ensure the security of information systems and nonpublic information accessible to or held by them.
The proposed regulation would mandate the following from covered financial institutions:
- Cybersecurity Program: Adoption of a formal cybersecurity program that encompasses these essential components:
- Risk Management and Oversight – identification of internal and external cyber risks by identifying the nonpublic information stored on information systems, its sensitivity and how and who may access it;
- Threat Intelligence and Collaboration – implementation of defensive infrastructure and policies and procedures to protect information systems and the nonpublic information stored on those systems;
- Cyber Incident Management Process and Controls – 1) detection of cybersecurity events and 2) a response plan and mitigation for identified or detected cybersecurity events;
- Business Continuity – inclusion of cybersecurity events in business continuity and recovery planning measures to assure restoration of normal operations and services; and
- Regulatory Reporting Obligations – addressing additional DFS reporting obligations (see below).
- Cybersecurity Policy: Adoption of a cybersecurity policy that addresses 14 areas (see summary here). My recommendation here is that if you need to draft a policy to use the 14 requirements as your outline or if you have a policy in place, to check it against the 14 areas to ensure these are covered in your policy.
- Chief Information Security Officer and Cybersecurity Personnel:
- Designate a Chief Information Security Officer (CISO) who would be responsible for developing and delivering a report, at least biannually, for the board of directors that:
- evaluates the information systems;
- lists exceptions to the policies and procedures;
- identifies cyber risks and details all material cybersecurity events;
- measures the effectiveness of the cybersecurity program; and
- provides remediation measures for any inadequacies:
- hire qualified IT personnel or ensure they are in place to manage the institution’s cybersecurity risk; and
- deliver mandatory annual cybersecurity training sessions for IT and cybersecurity personnel.
- Designate a Chief Information Security Officer (CISO) who would be responsible for developing and delivering a report, at least biannually, for the board of directors that:
These roles may be outsourced, but organizations still remain responsible for compliance.
- Monitoring, Testing, and Penetration and Vulnerability Assessments: Institute the following monitoring, testing and assessments requirements:
- adoption of policies and procedures designed to monitor authorized users’ activities and to help detect unauthorized use of information systems;
- penetration tests at least annually and vulnerability assessments at least quarterly;
- review of any IT applications or programs developed in-house and their accompanying policies and procedures at least annually by the CISO; and
- risk assessment at least annually with documentation that describes the justification of the identified risks.
Note: The risk assessment may follow the inherent risk profile analysis outlined in the FFIEC IT Handbook.
- Access and Encryption: Institute access and encryption controls such as:
- limitation on access privileges to information systems storing or accessing nonpublic information solely to those individuals who require such access (periodic reviews are required to monitor access privileges);
- multifactor authentication for any individual accessing the institution’s internal systems or database servers that store nonpublic information; and
- encryption of all nonpublic information unless currently infeasible; if not feasible, alternate controls are possible, but the CISO must review and approve
- Third-Party Governance: Institute the following to ensure proper governance of third parties engaged on their behalf that have access to their information:
- written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-party vendors; and
- preferred provisions in contracts with third parties (preferred provisions) to require them to comply with specified cybersecurity standards, permit auditing and make certain reps and warranties.
The regulation is not clear if the preferred provisions should be added to existing contracts and service agreements. My recommendation would be that regardless, organizations should confirm these provisions are included in their policies and procedures as well as terms of service with third-party service providers.
- Recordkeeping: Require the following record retention requirements:
- tracking and maintaining cybersecurity records, and all data relating to system access by authorized users and any cybersecurity events, for at least six years; and
- adoption of policies and procedures for the “timely” (no clear standard provided) destruction of nonpublic information that is no longer needed unless such information has to be retained by law.
- Training: require all personnel to attend regular cybersecurity awareness training.
- Notice to DFS and Incident Response Plan: require the following notice requirements:
- an incident response plan must be in place;
- notice to DFS must be made within 72 hours of becoming aware of a cybersecurity event; and
- a certification to DFS must be made of compliance with the organization’s cybersecurity program every year by January 15.
Many states already have customer notification requirements in the event of a cybersecurity event. So the 72-hour notice requirement might be taxing if the organization has to address these and possibly federal notice requirements. Check your procedures or update them in consideration of NY’s and other state and federal notice requirements.
Takeaways
The proposed regulation is subject to a 45-day notice and public comment period before final issuance. If finalized as is, the regulation would take effect on January 1, 2017, allowing covered financial institutions 180 days from that date to comply with the rules. While there is a transition period, make sure your organization is proactive. Regardless of your organization’s size, degree of cybersecurity risk or cybersecurity sophistication, take steps now. Your programs should not be just something you have on paper and assess passively with little to no training and education delivered to your staff. Remember at a minimum to:
- S – Start an assessment of your cybersecurity programs and controls immediately, determine if there are any gaps and remediate as necessary
- E – Examine, implement and test controls around your critical systems regularly
- C – Check your third-party engagements and controls
- U – Update your cybersecurity policies using the proposed regulation’s 14 requirements
- R – Review and revise your internal and external reporting measures including response management processes and reporting to management and your boards
- E – Educate and train all your employees periodically on your program and ensure additional training is provided to staff designated to cover, monitor, support and maintain your cybersecurity controls and programs