New York Department of Financial Services (NYDFS) Issues
"First-In-The-Nation" Cybersecurity Regulations; Office
of the Comptroller of the Currency (OCC) Bank Supervision Plan
Lists Cybersecurity as a Priority Objective
On September 13, 2016, New York Governor Andrew Cuomo unveiled a proposed regulation mandating
cybersecurity requirements for financial services companies
regulated by the New York Department of Financial Services (NYDFS).
The public has 45 days to comment on the proposed regulation before
it becomes final and requires banks, insurance companies and
financial institutions to comply with a host of requirements. The
press release states the proposal "includes certain regulatory
minimum standards while maintaining flexibility so that the final
rule does not limit industry innovation and instead encourages
firms to keep pace with technological advances." In 2015, we
previewed this proposal.
The proposed regulation mandates a number of items including: 1)
the establishment of a cybersecurity program 2) the adoption of a
cybersecurity policy 3) mandates the designation of a Chief
Information Security Officer (CISO) 4) the creation of a
program to review the security of third party service providers. It
also includes detailed and specific requirements of a cybersecurity
program including: annual risk assessments; annual penetration
testing and vulnerability assessments; certain procedures (e.g.,
application security) and standards (e.g., multi-factor
authentication and review of access privileges); encryption of all
non-public information "held or transmitted;" incident
response plans; training; and many others.
Various aspects of the plan appear to track existing federal
standards including aspects of the National Institute of Standards
and Technology (NIST) access controls, however it includes other
new requirements as well and will create minimum regulatory
standards for those regulated by the NYDFS.
OCC Issues FY17 Bank Supervision Operating Plan: Cybersecurity
Core to Oversight and Examinations
On September 14, 2016 the Office of the Comptroller of the
Currency (OCC) also released its Bank Supervision Operating
Plan (the Plan) for FY2017 with cybersecurity oversight at the
heart of its Large Bank; Midsize and Community Bank and Technology
Service Provider supervision requirements. Cybersecurity is core
issue within Operational Risks to the institutions. The ability to
assess the "evolving cyber threat environment and banks'
cyber resilience," information security, data protection,
third party risk management are included in the continued
In the case of Midsize and Community Banks the Plan states that
"Examiners will continue to use the Cybersecurity Assessment
Tool at banks not examined in FY2016 and follow up on any gaps
identified in FY2016." Ultimately, making it clear from the
OCC that it will continue to follow-through on examinations for all
entities and making it also clear they expect all regulated
entities to be rectifying any issues identified in recent
Consistent with the OCC's interest in the new technology
being used by banks, the OCC will conduct focused examinations,
"typically conducted on an interagency basis with the FDIC and
the FRB" on technology service providers for cybersecurity;
enterprise risk management; third party risk management, change
management and product-and-service specific risks.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is "Probably". (You expected anything else?)
On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).