New York's Proposed Cybersecurity Regulations: An Old Path Or a New Trail?

All Banking Law, All in One Place. Bloomberg Law: Banking is the comprehensive research solution that powers your practice with access to integrated banking-related legal news, analysis,...

Cybersecurity

The New York Department of Financial Services has proposed requirements for banks, insurance companies and other financial services institutions to maintain a cybersecurity program designed to protect consumers. While the impulse of states to regulate is understandable, such regulations create ever greater burdens on business to comply with an increasing number of additional and potentially conflicting legal obligations, writes Todd Taylor of Moore & Van Allen PLLC.

Todd C. Taylor

By Todd C. Taylor

Todd C. Taylor is a Member of Moore & Van Allen PLLC in Charlotte, North Carolina. Mr. Taylor's practice is focused on privacy, information security and transactional matters, with an emphasis on supporting clients in the financial services industry. He can be reached at toddtaylor@mvalaw.com.

Introduction

On September 28, 2016, proposed cybersecurity regulations promulgated by the New York Department of Financial Services (NYDFS) were published in the New York State Register (the NY Cybersecurity Regulations). A press release from New York Governor Andrew Cuomo said that these “new first-in-the-nation” regulations would require banks, insurance companies and other financial services institutions to maintain a cybersecurity program designed to protect consumers.

The proposed regulations have yet to take effect and, as of the writing of this article, remain subject to a 45-day comment period. Assuming no further changes to the language of the NY Cybersecurity Regulations, the new rules will go into effect on January 1, 2017.

Existing Laws, Regulations and Guidance
Gramm-Leach-Bliley: Interagency Guidelines

Governor Cuomo's pride in the Empire State, while understandable, is misplaced in this case. There are in fact existing laws and regulations of long-standing that impose information security obligations on financial institutions. Most notably, the Gramm-Leach-Bliley Act, a federal law enacted in 1999 (GLBA), requires financial institutions to protect the security and confidentiality of their customers' nonpublic personal information. Under the authority of GLBA, various financial regulators — such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC) — promulgated the Interagency GuidelinesEstablishing Information Security Standards (Interagency Guidelines) which became effective on February 1, 2001.

The Interagency Guidelines apply to financial institutions such as bank holding companies, national banks, state banks that are members of the Federal Reserve System, savings associations and FDIC insured depository institutions. The Interagency Guidelines require covered financial institutions to maintain a written information security program that includes appropriate administrative, technical and physical safeguards for both the protection of customer information and the destruction of customer information and consumer information (whether such information is in paper, electronic or other form).

Generally speaking, the Interagency Guidelines set forth a flexible, risk-based approach that allows a covered financial institution to determine the security measures that are appropriate for it. The Interagency Guidelines also note that covered financial institutions should have a response program to address incidents of unauthorized access to customer information. As part of such a response program, a covered financial institution should have procedures for assessing incidents of unauthorized data access and notifying regulators, law enforcement and impacted customers regarding such incidents (where appropriate).

Other Regimes Under GLBA

The Interagency Guidelines are not the only GLBA based information security rules. The National Credit Union Association (NCUA) separately adopted Guidelines for Safeguarding Member Information (NCUA Guidelines) under the authority of GLBA prior to the promulgation of the Interagency Guidelines. The NCUA Guidelines apply to federally-insured credit unions. There are no meaningful substantive differences between the NCUA Guidelines and the Interagency Guidelines.

GLBA's data security requirements also apply to broker-dealers and investment advisors regulated by the Securities and Exchange Commission (SEC), as well as entities regulated by the Federal Trade Commission (FTC) that are substantially engaged in financial service activities. Both the SEC and the FTC have promulgated their own separate data safeguard rules under the authority of GLBA.

FFIEC Examination Handbook

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body consisting of the Federal Reserve, the FDIC, the NCUA, the OCC, the State Liaison Committee and the Consumer Financial Protection Bureau. From time to time, the FFIEC publishes guidance for use by bank examiners of financial regulators. On September 9, 2016, the FFIEC published an updated version of its Information Technology Examination Handbook: Information Security (FFIEC Information Security Booklet). The FFIEC Information Security Booklet, while not having the force of law or regulation, still provides valuable insight into how regulators measure a financial institution's compliance with the requirements of GLBA and the Interagency Guidelines.

Other State Laws

In addition to GLBA (and the related regulations and regulatory guidance), there are other existing state laws imposing data security obligations on persons and entities (including financial institutions). Some notable examples include:

  •  a California law requiring businesses that own, license or maintain personal information to implement and maintain reasonable security procedures;
  •  Massachusetts regulations which require persons or entities owning or licensing personal information to maintain a comprehensive written information security program setting forth administrative, technical and physical safeguards (and if any personal information is electronically stored, the information security program must cover computers and wireless systems); and
  •  a Connecticut statute which requires any person that conducts business in Connecticut and who possesses another's personal information to safeguard the data, computer files and documents containing such personal information and to ensure that such data is erased, destroyed or rendered unreadable prior to destruction.

New York's Cybersecurity Regulation

Governor Cuomo's claims notwithstanding, it is clear that the NY Cybersecurity Regulations will not be the first regulatory scheme addressing financial institutions' information security obligations. So, are the NY Cybersecurity Regulations largely duplicative of existing legal requirements and therefore are, at best, unnecessary? Yes … and no.

Below is a brief summary of where the proposed New York regulations are consistent with — and where they differ from — existing laws, regulations and regulatory guidance.

Covered Entities

The proposed regulations will cover any person or entity “operating under or required to operate under a license, registration … or similar authorization under” New York's banking, insurance or financial services laws (Covered Entities). Note that national banks, banks chartered in other states, Federal credit unions and broker-dealers (among others) would not be Covered Entities.

Scope of Proposal

The NY Cybersecurity Regulations will cover:

  •   Information Systems — which include electronic information resources organized for the collection, processing, use and dissemination of electronic information; and
  •   Nonpublic Information in electronic form.

Given that its coverage is limited to electronic information (and electronic information processing systems), the NY Cybersecurity Regulations are actually less extensive (in some respects) than GLBA and the Interagency Guidelines (which extend their coverage to information in paper, electronic or other form).

However, GLBA and the Interagency Guidelines limit their coverage to customer information and consumer information ( e.g., credit reports and information derived from credit reports). The NY Cybersecurity Regulations define Nonpublic Information to include non-publicly available:

  •  business information of a Covered Entity (if its unauthorized disclosure would have a material adverse impact on the entity);
  •  customer (and prospective customer) information;
  •  information related to the health or health care of individuals;
  •  can be used to identify an individual ( e.g., name & government id); or
  •  information that is linked or linkable to an individual ( e.g., employment related information).

Core Requirements

The proposed NY Cybersecurity Regulations require each Covered Entity to maintain a cybersecurity program and written cybersecurity policies. The overall cybersecurity program must be designed to:

  •  identify internal and external cyber risks;
  •  use defensive infrastructure and implement policies and procedures to protect Information Systems and Nonpublic Information;
  •  detect cybersecurity events;
  •  respond to, mitigate and recover from identified cybersecurity events; and
  •  fulfill regulatory reporting obligations.

The written cybersecurity policy must address issues such as:

  •  information security;
  •  data governance and classification;
  •  access controls and identity management;
  •  business continuity/disaster recovery;
  •  physical security/environmental controls;
  •  customer data privacy;
  •  third party vendor management;
  •  risk assessments; and
  •  incident responses.

None of the above requirements would be surprising to financial institutions subject to GLBA and the Interagency Guidelines.

The NY Cybersecurity Regulations also require the appointment of a Chief Information Security Officer. Again, this requirement is consistent with guidance found in the FFIEC Information Security Booklet.

A Step Beyond GLBA

The proposed NY Cybersecurity Regulations do, however, go farther than GLBA and the Interagency Guidelines in other key respects:

  •  Bi-annual reports to a Covered Entity's Board of Directors will be required in regards to the entity's information security program. The Interagency Guidelines only require annual reports.
  •  Multi-factor authentication for systems access will be required in some cases. The FFIEC Information Security Booklet discusses the use of multi-factor authentication as a risk mitigation tool – but use of such tool is not expressly required under the Interagency Guidelines or the FFIEC Information Security Booklet.
  •  Encryption will be required for all Nonpublic Information held or transmitted by a Covered Entity. Under the Interagency Guidelines, financial institutions can make risk based decisions as to whether encryption is necessary.
  •  A Covered Entity must notify the NYDFS Superintendent within 72 hours of becoming aware of:
  • o  cybersecurity events affecting the operation of the Covered Entity or Nonpublic Information; and
  • o  the identification of any material risk of imminent harm to the Covered Entity's cybersecurity program.
  •   In contrast, under the Interagency Guidelines, a financial institution's incident response program should simply have processes relating to notification of (a) the institution's primary regulator as soon as possible after the institution becomes aware of unauthorized access/use of sensitive customer information, (b) law enforcement where appropriate and (c) customers where warranted.
  •  A Covered Entity would need to provide an annual certification to the NYDFS Superintendent that the entity is compliance with the NY Cybersecurity Regulations.

Potential Impact

It is difficult to predict the long-term impact of the proposed NY Cybersecurity Regulations, however, a few guesses can be made.

First, even if an entity (such as a national bank) is not a Covered Entity under the NY Cybersecurity Regulations, if it has affiliates and subsidiaries that are defined as Covered Entities under the NY Cybersecurity Regulations, it may find itself effectively subject to the regulations. Quite likely, such an entity's information systems would be effectively commingled with the systems of its Covered Entity affiliates and subsidiaries, rendering it necessary to ensure that the information systems of the entire banking and corporate group comply with the NY Cybersecurity Regulations. In that regard it is worth nothing that GLBA (and regulations promulgated under GLBA) do not preempt those state laws and regulations which provide for greater protection of data and systems.

Second, given that GLBA and the Interagency Guidelines measure information security programs by a reasonableness standard, certain aspects of the proposed NY Cybersecurity Regulations may effectively become baselines for measuring the reasonableness of information security programs.

Third, NYDFS may find itself flooded with notifications containing incomplete information regarding cybersecurity events, as Covered Entities are required to provide notice within 72 hours of such events. Given such a short time window, it is likely that a Covered Entity will not have adequate time to investigate and determine the nature of the incident, and therefore find itself forced to make premature disclosures of questionable events.

Of course, the NY Cybersecurity Regulations are part of a larger trend of U.S. states regulating cybersecurity and information security. While the impulse of states to regulate is understandable, such regulations create ever greater burdens on business to comply with an increasing number of additional and potentially conflicting legal obligations.

Comparison Chart

Below is a chart that illustrates just some of the similarities and differences among the proposed NY Cybersecurity Regulations, the GLBA Interagency Guidelines and the FFIEC Information Security Booklet.

Proposed NY Cybersecurity Regulations GLBA Interagency Guidelines FFIEC Information Security Booklet
Who is Covered? Covered Entities” include persons/entities licensed, registered or authorized to operate under NY banking, insurance or financial services laws. Any financial institution (FI) subject to the oversight of the OCC, the Federal Reserve and the FDIC. Note also that the NCUA has regulations substantially similar to the GLBA Interagency Guidelines. FIs such as national banks, savings associations, state member & non-member banks and credit unions.
What is Covered? Information Systems & any Nonpublic Information in electronic form that: • if subject to unauthorized disclosure, could have a material adverse impact on the Covered Entity; • relates to customers/prospective customers; • consists of information related to an individual's health/health care; • can be used to identify an individual ( e.g., name & government id); or• is linked or linkable to an individual ( e.g., employment related information). Customer Information” ( i.e., any record containing non-public personal information about a customer). “ Consumer Information” ( i.e., any record about an individual that is a consumer report or derived from a consumer report maintained by an FI). In either case, where such information is maintained by an FI and regardless of whether such information is in paper, electronic or other form. Information systems and information maintained by or on behalf of an FI (including business information and Customer Information/ Consumer Information).
Does the Regulation or Guidance Address Information Security Programs? Yes. Covered Entities are required to maintain a cybersecurity program and written cybersecurity policies addressing protection of Information Systems and Nonpublic Information. Yes. An FI must maintain a comprehensive written information security program that includes appropriate administrative, technical and physical safeguards. Yes. FIs should maintain an information security program that (among other things): (a) supports the FI's IT risk management processes, (b) integrates with the FI's lines of business and support functions, and (c) integrates third-party service provider activities with the FI's overall information security program.
Must the Programs/ Policies be Subject to Formal Reviews & Approvals? Yes. The cybersecurity policy must be reviewed at least annually by the Board of Directors or an equivalent governing body, and approved by a senior officer. Yes. An FI's Board of Directors (or a Board committee) must approve the FI's written information security program. An FI's Board of Directors (or a Board committee) should approve the FI's written information security program.
Is the Covered Entity Required to have a Chief Information Security Officer (“CISO”)? Yes. A Covered Entity must have a CISO that is responsible for managing the Covered Entity's cybersecurity program. Not expressly addressed, but the Board of Directors (or a Board committee) is obligated to assign “specific responsibility for [an FI's information security program] implementation.” Yes. An FI should designate at least one information security officer responsible for implementing and monitoring the FI's information security program. The designated information security officer should report to the Board of Directors or senior management.
Are Any Special Reports or Certifications Required? Yes. The CISO is required to present (at least bi-annually) a report to the Board of Directors (or equivalent governing body) regarding the Covered Entity's Information Systems, cybersecurity policies, cyber risks and cybersecurity events. The report is to be made available to the NYDFS Superintendent upon request. In addition, by no later than January 15th of each year, the Covered Entity must provide a written certification to the NYDFS Superintendent regarding such entity's compliance with the NY Cybersecurity Regulations. Yes. At least annually an FI must present to its Board of Directors (or a committee of the Board of Directors), a report on the status of the FI's information security program and the FI's compliance with the Interagency Guidelines. Yes. At least annually management of the FI should provide the Board of Directors with a report on the status of the information security program and other material matters related to the program.
Is Encryption Addressed? Yes. Each Covered Entity must encrypt all covered information – both in transit and at rest. Encryption is not expressly required, but an FI must consider whether encryption of electronic Customer Information (either in transit or storage) is appropriate. Encryption is not expressly required. Instead, FIs can make risk based decisions whether to encrypt information based on the sensitivity of data, the risk of disclosure and the cost of encryption.
Is Notification Required in the Event of a Data Security Incident or any Similar Matter? Yes. A Covered Entity must notify the NYDFS Superintendent within at least 72 hours of: • becoming aware of any material cybersecurity events affecting the operation of the Covered Entity or Nonpublic Information; and• the identification of any material risk of imminent harm to the Covered Entity's cybersecurity program. An FI should have an incident response program with procedures for (among other things) notifying: • its primary regulator as soon as possible after becoming aware of unauthorized access/use of sensitive customer information;• law enforcement in cases of criminal violations; and• customers as warranted. FIs should have protocols to define how, when and under what circumstances to notify and involve regulators, customers and law enforcement.
Must/Should the Information Security Program Address and Extend to Service Providers? Yes. Yes. Yes.
Enforcement: The NYDFS Superintendent can bring enforcement actions and seek fines for violations of the NY Cybersecurity Regulations. An FI's regulator may require an FI to submit a corrective action plan for addressing violations of the Interagency Guidelines. Financial penalties may also potentially be imposed. N/A. The FFIEC IT Examination Handbook for Information Security is not a law or regulation, but is used to guide examiners from regulatory agencies.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.