cybersecurity, digital (ISTOCKPHOTO)
Starting Jan. 1, New York’s New Guidelines for Cybersecurity Will Impact Banks, Insurers
In 2016, cyberattacks against banks revealed weaknesses in the security of the global banking system and created an ongoing concern for financial institution executives. This new year, bank compliance departments, which already contend with federal cybersecurity laws and industry-wide cybersecurity guidelines, will face the New York State Department of Financial Services’ (NYDFS) expansion of regulation into cybersecurity risk management. The proposed cybersecurity regulation, which is likely to come into effect in January, would apply to all entities licensed, required to be licensed, or subject to other registration requirements under New York banking, insurance or financial services laws.
Importantly, New York sets precedent as the first state in the nation to require its financial institutions to establish and maintain a cybersecurity program. Other states are likely to follow suit as consumers and legislators become increasingly focused on the integrity of the financial services industry following high-profile attacks.
The rules require covered companies to establish a cybersecurity program, adopt a cybersecurity policy, designate a chief information security officer (CISO), ensure the security of nonpublic information held by third parties, as well as conduct annual penetration testing and vulnerability assessments and train personnel on cybersecurity, among other requirements. Covered companies will have a 180-day transitional period to comply. Once in effect, businesses must annually prepare and submit to the financial services superintendent a certification of compliance with NYDFS, starting Jan. 15, 2018.
Breach Notification Requirement
Notably included is a breach notification deadline of 72 hours for the breach of “nonpublic information,” which covers a broader category of customer information than most state data breach notification laws. According to the NYDFS, if this nonpublic information were potentially, or actually, tampered with, accessed or used in an unauthorized manner, the covered business must report the incident to the financial services superintendent.
The regulation defines nonpublic information as including these categories of business information, among other data elements: