New York's DFS Final Cybersecurity Requirements – Will Others Follow?
While NAFCU is focused on federal compliance issues, a new state cybersecurity rule has made waves in recent months. The New York State Department of Financial Services (DFS) issued final regulations with mandatory cybersecurity requirements for financial services entities in February of this year. The regulations became effective March 1, 2017, with a series of implementation deadlines for covered entities at six months, one year, 18 months and 24 months – meaning for state-chartered credit unions in this state, the first compliance deadline is around the corner, August 28, 2017. A covered entity is defined as all entities operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York banking, insurance or financial services laws. There are exemptions for those entities with fewer than 10 employees, less than $5 million in gross annual revenue for three years or less than $10 million in year-end total assets. The New York state regulations indicate an enhanced focus on risk-prioritized and managed cybersecurity with corresponding burden and associated increased costs to financial institutions.
Here are some of the significant requirements under the DFS cybersecurity regulations:
- Written and ongoing maintained cybersecurity policies that must include a written incident response plan.
- A designated chief information security officer (CISO) to oversee the cybersecurity program that must have board and/or senior management access with annual reporting to same.
- Any cybersecurity events, incidents and/or breaches must be reported to the DFS no later than 72 hours from a determinationthat a cybersecurity event has incurred that: 1) requires reporting to a government, regulatory or supervisory body; or have a reasonable likelihood of material harm to the normal operations of the covered entity.
- Board or senior management certification of covered entity compliance.
- Penetration testing and vulnerability assessments with zero acceptance risk appetite levels.
- A five year audit trail retention period containing enough data to be able to recreate material transactions.
- A compliance monitoring and effectiveness program.
- Third party service provider security policy for risk management and review of the cybersecurity practices of the providers with periodic assessment and audit.
Many of these requirements are broad in scope so the DFS issued further guidance on a frequently answered questions page, including questions on the scope of entities that must comply, which can be found here.
It is believed in the industry the DFS will be quick to enforce its regulations with infractions incurring civil penalties and possibly criminal penalties. The requirement for a designated CISO is to ensure an ability to determine going forward " a person, who is to blame" for any infractions. Unfortunately, the actions by New York DFS may be a harbinger to come of similar regulation by other states or by the federal government as the United States is considered to behind in comparison to the European Union's General Data Protection Regulation (GDPR).