A close look at the cybersecurity rules New York State financial regulators proposed this week finds much that is familiar from federal bank guidelines, but a new breadth and depth.
While large banks already have many of the policies and protections described by the Department of Financial Services, some small state-chartered banks, insurance companies, state-licensed lenders and money transmitters are likely to find compliance a challenge.
Things could get messy if other states start coming out with their own cybersecurity rules.
"Just think of the hodgepodge of state breach notification laws. There is a difficulty here if other states impose different standards," said Jeff Taft, a partner in Mayer Brown's Cybersecurity and Data Privacy and Banking and Finance practices.
Another scenario is that New York's rules could become the reasonableness standard for security in the financial industry.
Under the safeguards rule of the Gramm Leach Bliley Act of 1999, "you're required as a financial institution to have a security program that is consistent with what's reasonable in the industry," noted Mercedes Tunstall, partner in the Washington law firm Pillsbury Winthrop Shaw Pittman. So potentially every bank could wind up having to adhere to the New York rules.
Former DFS superintendent Benjamin Lawsky was the driving force behind the regulation. He set this work in motion in 2014 with surveys of banking and insurance companies, followed by cybersecurity reports and exams that were used in the drafting of the regulation. The drafting was done under the watch of Maria Vullo, who was confirmed as superintendent in June.
The proposal, which is subject to a 45-day comment period, includes rules around data protection, disaster recovery and resilience, security incident response and reporting, network and application security, physical and environmental controls, penetration testing and training, third-party security assessment and monitoring, and many other aspects of cybersecurity.
Part of the New York plan rehashes what's in the Federal Financial Institutions Examination Council cybersecurity assessment guidelines and the National Institute of Standards and Technology security framework, some of which emerged out of the lessons learned from 9/11, Hurricane Katrina and other disasters. But New York's proposal goes further, especially in the areas of data encryption and authentication.
Protecting 'Nonpublic' Data
A major point at which New York's proposal diverges from the FFIEC's cybersecurity exam handbook is data encryption. The FFIEC requires banks to encrypt "sensitive" data, which generally means customer data and confidential business information, such as documents about an unannounced merger. New York's regulation tells banks to encrypt all nonpublic information, meaning "all electronic information that is not publicly available." Public information is defined as what a bank "has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the public that are required to be made by federal, state or local law."
So most data would fall under the category of "nonpublic" and therefore need to be encrypted, both at rest and in transit. That's more than has been asked of businesses in the past.
"A lot of institutions have some encryption of data," said Taft, noting that Massachusetts requires encryption of data in transit. "I don't think most companies have encryption for data at rest."
The requirement to encrypt nonpublic data is more specific and explicit than the cybersecurity guidance that exists for banks today, according to Valerie Abend, managing director and head of the U.S. cybersecurity practice at Promontory Financial (until June, she was senior critical infrastructure officer at the Office of the Comptroller of the Currency).
Banks would have a little time to get their data encryption technology in place, she noted. Bank chief information security officers would get until January 2018 to encrypt all nonpublic data in transit. "Until then, the CISO has to sign off on whatever the compensating control is," Abend said. All nonpublic data at rest has to be encrypted within five years.
Another thing that's noteworthy in the New York plan is the strong recognition of third parties, particularly information security vendors, and the role they play in overall cybersecurity.
New York banks would have to monitor the adequacy of their vendors' cybersecurity practices and set policies around their interactions with vendors that would include, "to the extent applicable," the use of multifactor authentication, encryption, identity protection for customers, cybersecurity audits, and "representations and warranties from the third-party service provider that the service or product provided to the covered entity is free of viruses, trap doors, time bombs" and the like.
This is sure to present a challenge because companies that lack state-of-the-art cybersecurity technology don't know they have viruses or malware on their computers. Even some of the largest and best-protected companies don't know of all the malware that lurks in their networks, due to the rapidly growing sophistication of malware and the one-step-behind nature of antimalware software.
The rule would also require third-party providers to inform banks of any security breach.
Federal regulators already require such notification, but in the New York plan "a third party not only has to tell the institution but potentially provide identity protection services to the institution's customers," Abend said.
New York's proposal is also more specific about the use of multifactor authentication.
"If you look at the FFIEC guidance, multifactor authentication is about taking a risk-based approach and they talk about some of the bigger risks in certain areas," Abend said. "This is more explicit, partly because of the nature of it being a regulation versus guidance."
New York requires an "inherent factor" to be used for authentication, noted Tunstall.
"It doesn't have to be biometrics, though it often is," she said. "It can be things like a thumbprint, a voice imprint, take a picture of yourself now. It's something inherent to you or to the circumstance, an action you take in the moment."
For a lot of banks, following this requirement "will be a challenge, especially for very small entities," Tunstall said.
New York also proposes requiring the preservation of audit trail records for six years, so if there is a cybersecurity event, investigators can look at logs and records to analyze what happened, how it happened, and how such a breach might be prevented in the future. This is a tough requirement because cybercriminals have gotten good at altering logs to delete them or to cover their tracks.
"They're tuned in to the fact that this is something bad guys are doing," Abend said.
Another unique aspect of the New York proposal is it broadly defines information systems that must be protected to include telephone switching and environmental control systems.
"That's super important, because if a bank's telephone system is hacked into and messed with, that's going to be a problem," said Tunstall.
Environmental controls (such as heating and air conditioning systems) are a favorite of hackers. "Environmental controls are relatively dumb systems," Tunstall said. "If you can hack into that you can mess around with the environmental controls, especially where servers are maintained. Then you can cause it to overheat quickly and really mess up the banking system. Those are great inclusions but we don't typically see that in the definitions of the systems that need to be protected."
New York's proposal also drills down into access privileges.
"I spend an inordinate amount of time talking to companies about the importance of identity access management," Tunstall said. "That means you should go through every single role in a company and determine, does that role require access to protected information? If it doesn't, then systems need to be designed in such a way that that person never has access to that information."
Access privileges are also mentioned in the FFIEC guidance, but in a less specific way, she said.
Small Banks Will Feel It
Large banks have most of what the New York regulator calls for already, Tunstsall said, with the possible exception of the authentication requirements.
Smaller entities are likely to have to scramble to meet some of these rules.
"The covered entities go from Citibank all the way down to a two-person licensed lender shop. That's a real range," Tunstall said. "That's why the FFIEC guidance and the NIST standard are not that specific, because the impact on those smaller entities is so high potentially."
Taft agreed with that assessment. "There's a whole host of smaller institutions that don't have anything like this in place and they're the ones that will feel a lot of the burden of it," he said. "I think the banking agencies have traditionally tried to give the banks flexibility, recognizing that what works for Citibank doesn't necessarily work for State Bank Q down the street. This is a one-size-fits-all."
Some of the things smaller banks are likely to find challenging, Taft said, are systems monitoring, the maintenance of log files for six years, and dual factor authentication for cases beyond online banking.
"That's a fairly high technology bar. All this is stuff you can procure, but it's going to have a cost," he said.
Despite all the headaches and challenges, Tunstall said the proposed New York rule is a good move.
"As somebody who does a lot of counseling on cybersecurity I was glad to see this because the specificity is needed, and forcing this conversation to happen is important," Tunstall said. "The FFIEC provides good parameters, there's nothing wrong with it, but it's not specific enough. The same with the NIST cybersecurity framework. I'm happy to see this because it does put the teeth into what those standards and ideals are."
Editor at Large Penny Crosman welcomes feedback at