On November 9, 2015, the New York State Department of Financial Services (“NYDFS”) issued a letter to several federal regulatory agencies and trade organizations advising of potential new state regulations intended to increase cybersecurity in the financial services industry. The NYDFS issued the letter following risk assessments performed in 2014 and 2015 that identified industry-wide vulnerabilities in the cybersecurity arena. In particular, these assessments identified third-party service providers as a consistent weak link in the cybersecurity efforts of financial institutions. Though the vast majority of financial institutions required at least some third-party vendors to follow cybersecurity protocols when handling sensitive customer information, the assessments found that less than half of financial institutions conducted on-site audits of these vendors to ensure compliance with cybersecurity requirements.
In light of these findings and the increased sophistication of hackers attempting to access sensitive consumer data, the NYDFS is considering new regulations that would require financial institutions to implement certain measures designed to increase cybersecurity. The November 9 letter outlined key regulations that the NYDFS is considering. The potential regulations would require covered entities to:
- Implement and maintain written policies and procedures addressing cybersecurity concerns, including the privacy of customer data and network security;
- Implement and maintain written policies and procedures requiring certain provisions in contracts with third-party vendors to ensure the security of data accessible to vendors, including required use of multi-factor authentication to access sensitive data, encryption of data, and the ability of the financial institution to perform audits of third-party vendors;
- Use multi-factor authenticate to access certain sensitive information;
- Designate a chief information security officer to oversee the institution’s cybersecurity and submit reports to the NYDFS;
- Implement and maintain guidelines to ensure the security of the institution’s applications;
- Employ personnel to manage cybersecurity risks;
- Conduct annual testing, quarterly vulnerability assessments, and maintain an audit trail; and
- Immediately report certain cybersecurity incidents to the NYDFS.
Financial institutions would be wise to assess their own cybersecurity vulnerabilities and to consider periodic audits of their service providers with access to sensitive customer data. Should the NYDFS move forward with the proposed regulations, the regulations are likely to create a new national standard for managing cybersecurity risks at financial institutions.