New York Governor Andrew Cuomo announced last week a
first-of-its-kind cybersecurity program for New York-regulated
financial services companies that would impose broad new
cybersecurity program requirements and require the appointment of a
Chief Information Security Officer. In addition to having the
capacity to identify cybersecurity risks and deter or prevent data
breaches, entities regulated by the New York Department of
Financial Services (DFS) would be required to establish a
cybersecurity program that can mitigate the negative effects of a
breach and restore normal operations and services, typically
through backup and redundant capabilities. A compliant program
would include annual penetration testing, employee training and an
audit trail system.
The proposed regulation would also require the adoption of a
written cybersecurity policy that addresses not only traditional
network security and controls like encryption and multifactor
authentication, but also:
business continuity and disaster
recovery planning and resources
capacity and performance
systems operations and availability
systems and network security and
systems and application development
and quality assurance
physical security and environmental
customer data privacy
vendor and third-party service
provider management (which themselves are required to have minimum
cybersecurity practices and be periodically assessed at least
While the specificity in the draft regulation provides a useful
road map for firms looking to bring their policies up to date, it
also underscores the need for institutions to ensure that unwritten
or informal policies, even where followed rigorously, are properly
documented. The current draft also broadly defines
"nonpublic information" that must be protected by
encryption to include "any information that can be used to
distinguish or trace an individual's identity."
The regulation also requires that a firm's cybersecurity
policy be implemented by a designated Chief Information Security
Officer who reports at least biannually to the board of directors
on certain designated topics, including breach reports and the
remediation of deficiencies. Significantly, the regulations
require that the DFS be informed of any material breaches within 72
hours of their discovery.
While the Securities and Exchange Commission has monitored and
enforced cybersecurity at registered investment advisers since 2014
through its Office of Compliance Inspections and Examinations, this
represents a significant step by the DFS to regulate the
cybersecurity policies and practices of financial
institutions. Prior to proposing the regulation, the DFS
surveyed almost 200 regulated banking and insurance institutions to
identify best practices and emerging risks. The DFS has been
particularly focused on risks posed by third-party service
providers, as detailed in an April 2015 DFS report titled "Update on Cyber Security in Banking Sector:
Third-Party Service Providers."
The proposed regulation is subject to a 45-day notice and
comment period prior to final issuance. More information is
available here and a copy of the proposed language can
be found here.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
FinCEN notified U.S. financial institutions that the Financial Action Task Force updated the list of jurisdictions with strategic anti-money laundering ("AML")/countering the financing of terrorism deficiencies.
The last thirty years have witnessed a dramatic rise in bank adoption of the bank holding company ("BHC") structure. Inherent in this trend is an apparent accepted orthodoxy about the need of such structures from both a business and regulatory perspective.
Recent years have been marked by low interest rates and a highly liquid loan market, creating a very favorable environment for leveraged loans used to fund mergers and acquisitions, sometimes in conjunction with large one-time dividend payouts.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).