September 21, 2016 – On September 13, 2016, the New York State Department of Financial Services (DFS) released proposed cybersecurity regulations for financial institutions.1 When the regulations become effective, they will make New York the first state to implement mandatory cybersecurity requirements on financial institutions, though others are now likely to follow New York’s lead. The regulations are the culmination of several years of DFS interest in how financial services companies address cybersecurity issues. The regulations will be open for public comment for 45 days and are set to take effect on January 1, 2017.
The proposed regulations apply to all entities that are licensed or registered under New York banking, insurance or financial services laws, which include a broad array of institutions, such as: state-licensed banks, savings banks, insurance companies, private bankers, licensed lenders, mortgage companies and state-licensed offices of non-U.S. banks.2 Under the proposed regulations, covered institutions must appoint a chief information security officer3 and “[s]enior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.” In addition, the proposed regulations require covered entities to report to DFS within 72 hours any cybersecurity event “that has a reasonable likelihood of materially affecting the normal operation of the entity or that affects Nonpublic Information.”
The proposed regulations require each covered entity to assess its risk profile and design, implement and maintain policies and procedures that are tailored to its needs, addressing, at a minimum:
- Information security,
- Data governance and classification,
- Access controls and identity management,
- Business continuity and disaster recovery planning and resources,
- Capacity and performance planning,
- Systems operations and availability concerns,
- Systems and network security,
- Systems and network monitoring,
- Systems and application development and quality assurance,
- Physical security and environmental controls,
- Customer data privacy,
- Vendor and third-party service provider management,
- Risk assessment and
- Incident response.
Though many of the proposed requirements reflect best practices and are consistent with existing guidance and regulations from other financial industry regulators, covered entities should evaluate their existing policies against the proposed regulations. Such analysis is especially important in light of potential enforcement actions for noncompliance.
2 The proposed regulations include certain limited exceptions for smaller institutions.
3 A covered entity could fulfill this obligation using a third-party service provider if the covered entity (1) retains responsibility for compliance with the regulations, (2) designates a senior officer to oversee the third-party service provider and (3) requires that the third party maintain a cybersecurity program that meets the requirements of the regulations.
Authored by: Glen Kopp, Cheri Hoff and Chelsea O’Donnell
Glen Kopp, former Assistant United States Attorney in the Southern District of New York, is a partner in Bracewell’s white collar, internal investigations and regulatory enforcement practice in New York. Prior to joining the firm, he served for five years in the U.S. Department of Justice, handling all phases of the federal criminal process. In private practice and at DOJ, he has handled regulatory enforcement matters, criminal proceedings, litigation and internal investigations relating to financial institutions; corporate, accounting, wire and bank fraud; insider trading; money laundering; options back-dating; securities; export control; and other matters. Since joining Bracewell, Glen has led an internal investigation into possible FCPA violations for a company with operations in the Middle East and drafted and reviewed FCPA provisions of international service contracts. Glen led an internal investigation involving possible improper billing practices for a government contractor. Glen has also guided a client through a criminal antitrust investigation and counseled clients victimized through cyber intrusions.
Cheri Hoff leads Bracewell’s private funds practice. Her practice focuses on providing advice to private investment funds, investors and advisers. Cheri forms and represents private funds, including hedge funds, private equity funds, funds of funds, and hybrid funds, with diverse strategies and structures. She handles a variety of regulatory and transactional matters for private investment funds and investment advisers. Cheri has experience providing regulatory advice to registered investment advisors regarding compliance with various aspects of the Dodd-Frank Act and the Investment Advisers Act. She provides operational, restructuring and related advice to her fund clients. In addition, she advises investment advisor clients on SEC and state registration and exemptions. Cheri also creates, implements and audits compliance policies and procedures. She is active in asset management mergers and acquisitions and has provided advice on a variety or transactions, including acquisitions, divestitures, majority and minority stake investments and lift-outs of management teams. In addition, she supports the white collar and enforcement group on various SEC related matters and routinely speaks to fund principals and employees on topics such as insider trading and cybersecurity.
Chelsea L. O’Donnell is an associate at Bracewell, where her practice is focused on white collar criminal defense, internal investigations and regulatory enforcement matters. She represents clients in connection with Foreign Corrupt Practice Act (FCPA) compliance, securities fraud and public corruption. Chelsea assists corporate clients with internal investigations of potential misconduct, often in response to allegations of fraud or insider trading. She also represents clients who face civil suits and regulatory actions in connection with criminal matters, including SEC and FINRA investigations and enforcement actions.