Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

By Peter Stockburger
September 21, 2016
  • Consumer Protection
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • New and Proposed Laws
  • Privacy Rights
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

All posts Full bio

RELATED POSTS

  • Data Breach
  • Data Transfers
  • Enforcement
  • New and Proposed Laws
  • United States

NIST and USCG Issue New Maritime Industry Cybersecurity Profile

By Peter Stockburger
  • Government Information
  • United States

White House Signs New Cybersecurity Executive Order

By Peter Stockburger
  • Canada
  • Consumer Protection

MicroSD memory cards to be excluded from copyright levies

In a press release entitled “Harper Government Says No to Fees on Memory Cards”, Minister of Industry Christian Paradis announced the […]

By Margot Patterson

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site