Enter to open, tab to navigate, enter to select
NYDFS Announces Potential New Regulations on Cybersecurity
Practical Law Legal Update w-000-7566 (Approx. 5 pages)
NYDFS Announces Potential New Regulations on Cybersecurity
by Practical Law Intellectual Property & Technology
| Published on 13 Nov 2015 • USA (National/Federal) |
The New York State Department of Financial Services (NYDFS) released a letter it sent to members of the Financial and Banking Information Infrastructure Committee (FBIIC) seeking their collaboration on potential new regulations to increase cybersecurity defenses within the financial sector. The FBIIC operates under President Obama’s Working Group on Financial Markets, includes a broad set of financial regulators, and works to improve coordination among them.
On November 9, 2015, the New York State Department of Financial Services (NYDFS) sent a letter to members of the Financial and Banking Information Infrastructure Committee (FBIIC) seeking their collaboration on potential new regulations to increase cybersecurity defenses within the financial sector. The FBIIC operates under President Obama’s Working Group on Financial Markets, includes a broad set of financial regulators, and works to improve coordination and communications among them. The letter emphasizes that:
- Several surveys and risk assessments previously conducted by the NYDFS demonstrate the need for robust regulatory action in the cybersecurity area.
- The NYDFS seeks to coordinate with other state and federal agencies in developing a framework that addresses the most critical cybersecurity issues while maintaining the flexibility needed to manage local concerns.
- The cybersecurity program mandates detailed are currently under consideration by the NYDFS, but requirements may be changed as the work progresses.
In addition to requiring that covered entities maintain an overall cybersecurity program, the regulations, if promulgated, would likely set more specific requirements in certain areas, such as mandating that covered entities:
- Implement and maintain written cybersecurity policies and procedures that address, among other things, information security, access controls, technical and physical safeguards, customer data privacy, and incident response.
- Implement and maintain policies and procedures to govern third-party service provider relationships, including standard technical safeguards and contract terms.
- Use multifactor authentication to improve access controls, especially for remote (external) access to internal systems, privileged (administrator-level) activities, and customer-facing, web-based applications that expose confidential information.
- Designate a qualified Chief Information Security Officer (CISO), who would be required to submit an annual cybersecurity program and risk assessment report to regulators.
- Implement, maintain, and periodically review written application-level security procedures, guidelines, and standards.
- Employ adequate personnel (or third parties) to manage the cybersecurity program, provide them with appropriate training, and ensure they stay current on cybersecurity threats and countermeasures.
- Maintain system audit controls, including log management, and conduct annual penetration testing and quarterly vulnerability assessments.
- Immediately notify regulators of cybersecurity incidents that have a reasonable likelihood of materially affecting normal entity operations, including any incidents that trigger certain other legal notice obligations, those of which an entity’s board is notified, or when certain forms of personal information have been compromised.