New York Department of Financial Services Doubles Down on Cybersecurity

Certain Republican presidential candidates, in their most recent debate, stated their intention to go to “cyberwar” with China. The New York Department of Financial Services (“NYDFS”), while more modest in its scope, announced on November 9, 2015 equally hostile intentions toward hackers and, more directly, toward financial institutions that don’t exercise good cyber-hygiene.

NYDFS, the state agency with jurisdiction over the insurers, banks, investment companies and mortgage brokers, among other financial services organizations, has been vigilant about cybersecurity for over a year, including cybersecurity questions in its annual bank examinations and sending examination letters to insurance companies about their information safeguards (our NYDFS blog post linked here).

In the November 9th letter to the Federal Reserve Board of Governors, the U.S. Department of the Treasury, the Securities and Exchange Commission and several other federal financial agencies and commissions, NYDFS Acting Superintendent Anthony J. Albanese detailed tough new cybersecurity regulations and asked for “collaboration and regulatory convergence,” because NYDFS, he wrote, “considers cybersecurity to be among the most critical issues facing the financial world today.”

The proposed regulations would require covered financial services organizations to do the following:

• prepare and implement a written information security plan;
• train the work force on that plan;
• establish a clear breach response protocol and report certain breaches to NYDFS;
• designate a Chief Information Security Officer;
• prepare detailed policies and procedures to monitor the security safeguards of third-party service providers;
• implement multi-factor authentication;
• perform quarterly vulnerability assessments and annual penetration analyses;and
• maintain an audit trail system that would log access to critical systems and system events including alterations to the audit trail systems.

NYDFS is clearly serious about enforcing information safeguards. Covered financial services organizations would be well-advised to use these proposed regulations as a template for implementing robust security not primarily because the proposed regulations will soon come into effect, but because solid cybersecurity is good business. With new cyber-attacks reported across multiple media almost every day, good stewardship of customer sensitive data is a great marketing tool, and much less expensive than loss of business due to a breach.

For further information on financial services cybersecurity compliance and breach response protocols, please call Kenneth N. Rashbaum.