Banks, insurers and other financial service companies would need a cybersecurity plan and a CISO to carry that plan out under rules proposed by New York state regulators this week.
The outlined rules show New York “is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” Democratic Gov. Andrew Cuomo said in a statement Tuesday.
Banking industry groups cautiously welcomed the proposal, but some observers said the state should back off and leave such regulation to federal authorities.
Under the draft rules, which are subject to a 45-day public comment period before they are finalized, banks and other financial services institutions would have to:
- establish a cybersecurity program;
- adopt a written cybersecurity policy;
- designate a chief information security officer, or CISO, responsible for its program and policy;
- and have policies and procedures designed to ensure the cybersecurity of systems accessible to or run for the institution by third-parties.
The 19-page proposal attempts to set a floor for cybersecurity, not a ceiling; and to leave institutions the flexibility they need, according to the introduction. “Certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances,” regulators write.
The proposed regulation includes a requirement that banks notify the state’s Department of Financial Services within 72 hours of any cyberattack “that has a reasonable likelihood of materially affecting [its] normal operation … or that affects nonpublic Information.”
A patchwork of state regulations currently cover when companies must disclose breaches, and some observers who’ve worked in the sector warned that the new rules might add to a growing regulatory maze.
“Cybersecurity regulations need to see more uniformity and predictability across federal and state regulatory agencies,” Greg Garcia told FedScoop. Garcia, a former top cybersecurity executive for DHS and Bank of America, said banks are concerned about proliferating cyber regulations.
“A patchwork quilt of ‘me-too’ requirements only increases costs, reduces risk management efficiencies and confuses the ultimate goal of data and system protection … Regulators need to coordinate better. We all have the same objective so how about the same approach?”
Under the proposed rule, banks and other institutions would have to their systems go through penetration testing at least annually and do quarterly vulnerability assessments. They are also required to encrypt all non-public information they hold or transport, although the encryption requirements don’t kick in for one and five years respectively.
They would also have to introduce multi-factor authentication for privileged or remote system-logins and continuous monitoring of their staff.
“Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks,” New York State Department of Financial Services Superintendent Maria T. Vullo said.
The covered banks’ cybersecurity programs must have a minimum of five elements:
- Identification of cyber risks;
- Implementation of policies and procedures to protect against unauthorized access or other malicious acts;
- Detection of cybersecurity events;
- Responsiveness to identified cybersecurity events;
- Recovery from such events and restoration of normal operations and services.
The American Bankers Association gave a cautious welcome to the news. “We look forward to working with the New York Department of Financial Services toward our mutual goal of moving the cybersecurity needle in a manner that limits unnecessary compliance burdens.” Doug Johnson, senior vice president for payments and cybersecurity policy at ABA told FedScoop.
DFS said it surveyed nearly 200 of the banks and insurance companies it regulates “to obtain insight into the industry’s efforts to prevent cybercrime.” The data from these surveys was written up in a series of three reports “which helped to inform the rule-making process.”