On September 13, 2016, the New York State Department of Financial Services (NYDFS) proposed cybersecurity rules that, if finalized in their current form, would create one of the most comprehensive, detailed and onerous cybersecurity standards in the country. While the proposed rules would apply only to financial institutions subject to the NYDFS’s authority under New York law, this proposal is important for all companies. It highlights a trend that legislatures and regulators are revisiting decades-old approaches to cybersecurity and considering alternatives that would shift from a risk-based paradigm to a prescriptive approach. The NYDFS in particular has made great efforts to “spark additional dialogue, collaboration and, ultimately, regulatory convergence among” federal and state financial regulators on comprehensive cybersecurity standards for all financial institutions. In light of the significant role that New York plays in this country’s financial markets and NYDFS’s role as regulator for many financial institutions based in New York, this proposal comes with a level of credibility that could influence the broader, national dialogue and consideration of what cybersecurity standards are appropriate, even if NYDFS does not have unique expertise with respect to cybersecurity. If it does, consideration and monitoring of this proposal is important for all companies.
At the highest level, the proposed rules would require covered financial institutions to put in place controls designed to protect “nonpublic information” and the information systems that handle “nonpublic information.” While NYDFS believes that its proposal would establish “minimum” regulatory standards that are not “overly prescriptive,” the proposal is so prescriptive in some respects that it would be unworkable.
One critical issue with the proposal is the breadth of the definition of “nonpublic information” and the controls that would apply to that information. Instead of focusing on the types of information that, if misused, could harm a financial institution’s customers, the proposed rules include a four-part definition of “nonpublic information” that includes virtually any information about a customer. For example, the definition incorporates the federal Gramm-Leach-Bliley Act (GLBA) definition of customer information that applies for purposes of the GLBA privacy standards. As a result, the proposed rules would cover, among other things, any information that an individual provides to a financial institution in obtaining a product or service, any information about the individual that results from a transaction and any information that the financial institution obtains about the individual in connection with providing a financial product or service to the individual. This would include basic information, such as a customer’s name or the fact that the individual is a customer. While the definition makes sense in the context of the GLBA privacy rules that are focused on limiting disclosures of customer information to nonaffiliated third parties, it can lead to extreme results when tied to detailed cybersecurity controls, such as encryption, as is the case here.
The proposed rules include a number of “standard” data security controls that are required under existing federal and state law or have become best practices for regulated financial institutions. In fact, the NYDFS has incorporated into its proposal many of the controls required of federally chartered banks under the GLBA, as well as the federal banking agencies’ expectations on security communicated in the FFIEC examination handbook. For example, the proposed rules would require that a covered financial institution implement a cybersecurity program designed to protect nonpublic information, identify risks to that information and detect and respond to security incidents involving that information, and ensure that a qualified individual is responsible for overseeing the program and reporting to the institution’s Board of Directors regarding security. From a technical standpoint, a covered financial institution’s written policies would be required to address, “at a minimum,” fourteen security concepts and controls, including, for example, access controls, network monitoring and security, physical controls and vendor management.
The proposed rules, however, become far more prescriptive (and less process-based) when requiring the implementation of specific controls.
While the proposed rules would apply only to financial institutions subject to the NYDFS’s authority under New York law, it is worth noting that there will be compliance challenges in the context of bank and financial holding companies that include federally chartered or other federally regulated entities, in addition to one or more affiliate or subsidiary that is subject to the NYDFS’s authority. In this regard, holding companies often create holding company level security policies and standards that apply to all financial institutions within the family of companies. There will undoubtedly be practical questions as to how to address the fact that the subsidiaries subject to the NYDFS’s authority are subject to less flexible standards and whether to establish stand-alone processes to address this fact.
The proposed rules are now subject to a 45-day notice and public comment period following the September 28, 2016 publication in the New York State register before their final issuance.