Cuomo Proposes Cybersecurity Requirements for Financial Institutions

Chris Gaetano
Published Date:
Sep 14, 2016

New York Governor Andrew Cuomo has proposed new regulations that would set minimum cybersecurity measures for financial institutions, intended to "protect consumers and ensure the safety and soundness of New York State’s financial services industry."

 "New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," said Governor Cuomo. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."

The regulations would cover entities overseen by the New York State Department of Financial Services, including banks and insurance companies, provided they had more than 1,000 customers in each of the last three calendar years, more than $5 million in gross annual revenue in each of the last three fiscal years, or more than $10 million in year-end total assets, calculated in accordance with GAAP. 

Under the proposed regulations, entities would be required to establish and maintain a cybersecurity program that will: 

1) Identify internal and external cyber risks by, at minimum, identifying the nonpublic information stored on their information systems, the sensitivity of such information, and how and by whom this information can be accessed; 

2) use defensive infrastructure and implement policies and procedures to protect their information systems and the nonpublic information stored on it from unauthorized access or other malicious acts; 

3) detect cybersecurity events; 

4) respond to identified or detected cybersecurity events and mitigate any negative effects; 

5) recover from cybersecurity events and restore normal operations and services; and 

6) fulfill all regulatory reporting obligations. 

Entities would also be required to implement and maintain a written cybersecurity policy covering things such as information security, data governance and classification, system monitoring and security, and business continuity and disaster recovery planning, among many others. Further, entities would be required to have an incident response plan, and security guidelines for the use in-house applications. 

Testing is another major part of the regulations. Entities would need to have annual penetration testing, quarterly vulnerability assessments, and an annual risk assessment centered around the security of their information systems. Further, they would be required to have an audit trail system that tracks and maintain data pertaining to access to critical information systems, as well as all the data necessary to reconstruct all financial transactions and accounting necessary to detect and respond to cybersecurity events. The audit trail system would also need to be able to protect any part of its own data from tampering or alteration. 

The proposal would also restrict those who have access to nonpublic information only to those who actually need it to perform their responsibilities. These access privileges would need to be periodically reviewed, according to the proposal. 

They would also need to have policies and procedures in place to ensure the security of information systems and nonpublic information accessible to, or held by, third parties. This would need to include identification and risk assessment of those third parties, minimum cybersecurity practices that third parties would have to meet, due diligence processes to evaluate third parties' cybersecurity practices, as well as periodic assessment of those practices. 

Entities would also need to implement multi-factor authentication in a wide variety of different contexts, encrypt all nonpublic information "both in transit and at rest," and have policies and procedures for timely destruction of any nonpublic information that is no longer necessary for the provision of products or services, save that which is required to be retained due to law or regulation. 

This would all be overseen and implemented by a Chief Information Security Officer, which the regulated entities would also be required to have, as well as other cybersecurity personnel to carry out core cybersecurity functions and manage risks. These personnel would be required to attend regular training sessions to keep up to date on changing threats and countermeasures. Entities, according to the proposal, can utilize a third party to assist with complying with these requirements. 

Finally, entities will need to implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access to, or tampering with, nonpublic information by these users. All personnel would also need to attend regular cybersecurity awareness training sessions. 

Comments on the proposal are being accepted over the next 45 days. If approved, its effective date would be Jan. 1, 2017. 

Click here to see more of the latest news from the NYSSCPA.