C-level executives at most financial firms operating in New York will have one more reason besides the fear of a data breach to change their corporate governance for cybersecurity this year– New York State’s amended regulation.
Electronic securities lending and borrowing platform EquiLend’s recent announcement it was the target of a ransomware attack followed New York’s adoption of a new cybersecurity law. On January 24 EquiLend announced that many of its systems were offline due to “a technical issue” which began two days earlier. On January 25, EquiLend issued an updated report saying there was a breach caused by hackers. The outages, which affected the NGT trading platform and the post-trading system, caused some EquiLend customers to manually process securities lending deals and to delay regulatory reporting.
EquiLend’s breach followed an agreement with private equity firm Welch, Carson, Anderson & Stowe to buy a majority stake in the second quarter of 2024. By the time FinOps Report went to press EquiLend was reportedly back to normal. Founded in 2001, the New York-based electronic platform is backed by some of the biggest names on Wall Street including Goldman Sachs, Morgan Stanley and JPMorgan Chase. About US$24 trillion in transaction are executed each month worldwide.
Chief information security officers, chief executive officers, and boards of directors at financial firms won’t want to find themselves in EquiLend’s shoes. They also won’t want their firms to pay hefty regulatory fines for violating the New York Department of Financial Services’ upgraded requirements for cybersecurity, which place greater emphasis on the responsibilities of some C-level executives. CISOs, CEOs and boards of directors will likely be spending a lot more time getting to know each other a lot better this year to prevent a cyberattack and return their operations to normal more quickly, if they occur.
The NYDFS’ new cybersecurity regulation marks the second set of changes since the legislation was adopted in 2017, but the first time the obligations of a board of directors has been explicitly defined under Part 500. Adopted in November 2023, the rules take effect in phases from December 1, 2023, to November 1, 2025. As of December 1, 2023, CISOs must report cyber incidents to the NYDFS, and the regulatory agency has devised a long list of what constitutes an incident.
The next immediate challenges for covered financial firms in 2024 will be to meet this year’s April 15, April 29, and November 1 timetables which call for CEOs, CISOs and boards of directors to collectively determine and approve a strategy for data protection. “Effective enterprise-wide communications will be required, because the NYDFS will no longer allow CEOs and board of directors to pass the entire responsibility for cybersecurity management to CISOs,” says Edward Horton, a partner at the law firm of Seward & Kissel in New York. “CEOs and boards of directors will now be required to take on a more active part in the oversight role.”
Under the NYDFS’ requirements, the CISO’s role will be to develop and enforce a cybersecurity program, while the obligation of the senior governing body– typically a board of directors– will be to approve of the cybersecurity program, and any changes in policies and procedures. The CEO must also be directly kept in the loop at all times rather than finding out what is going on from secondhand sources. “Unlike CISOs, CEOs and members of boards of directors are not required to be experts in cybersecurity, but they will need to understand enough to make informed decisions,” says Justin Herring, a partner at the law firm of Mayer Brown in New York. “CISOs will also be required to report directly to CEOs and boards of directors, not intermediaries, about their data breaches, cybersecurity programs, and their corrective measures.”
Based on the language of the NYDFS’ new legislation it appears that the agency will more rigorously enforce the need for good cybersecurity hygiene. The NYDFS clarified that it will fine a covered entity that has failed to secure or prevent unauthorized access to non-public information regardless of the impact. A covered firm will also be fined if it does not comply with any of the NYDFS’ cybersecurity requirements for 24 hours. The clock will start to tick as soon as the failure occurs, not when it is discovered.
Legal experts speaking at panels focused on cybersecurity at a recent Legalweek event in New York predicted that the NYDFS won’t hold a CISO or CEO personally liable for a cybersecurity breach as long as a reasonable cybersecurity program is in place. However, the NYDFS will fine CISOs and CEOs if they downplay the extent of a cybersecurity breach or inflate the state of their firms’ preparedness. “The offense has to be pretty egregious,” said one panelist. “Cyberattacks might be forgiven as an inevitable event, but lying is an entirely different matter.” All of the panelists emphasized the importance of having internal and external legal counsel at the decision-making table to design the best cybersecurity programs, not just to react after a cyberattack occurs.
CISOs are taking notice of the NYDFS’ harder line towards effective cybersecurity oversight. Five CISOs at banks in New York tell FinOps Report they have made presentations to their CEOs and boards of directors about how the NYDFS’ revamped regulations will affect their firms. One CISO says he has created “Cliff notes” for his board while two others say they are dedicating an hour each week to explain any changes in cybersecurity policies and procedures to their CEOs needed to meet the NYDFS’ requirements. All of the communications are being documented to ensure that the NYDFS is confident that the critical C-level executives are in the loop for all decisions.
Tony Pietrocola, president of Cleveland-based global cybersecurity firm AgileBlue, recommends that CISOs consider their target audience when preparing cybersecurity lessons. Speaking in terms of risk scores and mitigation methods is the best way to build trust. Viewing cybersecurity as an organizational issue, rather than a technical one only, shifts the discussion to a management priority. “Talking tech always puts non-technical executives on the defensive,” he tells FinOps Report. “To appeal to non-technical C-suites and boards of directors, CISOs need to score cyber risks and show how each risk can be mitigated.”
All US banks chartered in New York will fall under the NYDS’ rules. About 75 percent of foreign banks in the US could be subject to the rules as they have New York branch offices. However, some financial firms with only a handful of employees in New York and low revenues might be eligible for an exemption. “A financial firm operating in New York must carefully analyze whether it meets the criteria for an exemption and even if it does, it will still have to fulfill some of the requirements with regards to safeguarding critical data,” cautions Horton.
For the first time, the NYDFS has also created a category called Class A companies which must follow additional requirements. One of those, as of April 29, is to perform independent audits of their cybersecurity programs based on risk profiles. Independent can mean either through a third party or internally as long as no undue influence was exerted to alter the results. Class A companies are those with at least US$20 million in gross annual revenue in the last two fiscal years from the business operations of the covered entity and its affiliates in New York. One of two additional conditions must also be fulfilled. The covered company must have on average a combined 2000 employees for itself and for its affiliates regardless of where they are located. Alternatively, the company must have US$1 billion in gross annual revenue in each of the last two years from all business operations of the covered entity and all of its affiliates.
According to the NYDFS’ new policy, when calculating the number of employees and gross annual revenue to determine whether a firm meets the definition of a Class A company, affiliates should be considered only those that share information systems, cybersecurity resources, or all or part of a cybersecurity program with the covered entity. Based on the NYDFS’ criteria, fund management and broker-dealer subsidiaries of large US national banks will likely fall under the NYDFS’ cybersecurity rules because they typically rely on the same cybersecurity infrastructure as their parents.
By April 15, CEOs and CISOs of covered financial firms must for the first time jointly certify that their firms have been in “material” compliance with the NYDFS’ new cybersecurity rules for the previous year. If they can’t certify “material” compliance, they must explain which aspects of their cybersecurity program are not compliant and for the first time elaborate on how the deficiencies will be fixed. No longer will the certification of any senior official be sufficient. “Covered companies should do a gap analysis between the new requirements and their cybersecurity programs, along with a road map for closing any gaps that is consistent with the timeline for implementing the new Part 500 requirements,” says Trisha Sircar, a partner at the law firm of Katten Muchin Rosenman in New York. “The gap analysis will likely include a review and update of the appropriate budgets.”
Compliance and technology budgets will likely have to increase to meet the 2024 and 2025 requirements, say many legal experts, as covered firms may choose to consult with external legal counsel and cybersecurity experts for advice. They may even use consultants to do the gap analysis. Three of the five CISOs who agreed to speak with FinOps Report confirm they have hired consulting firms to help design their programs and/or do testing.
CISOs won’t have an easy time asking CFOs to sign off on higher budgets. A CFO’s job, after all, is to make certain that all investments result in a return for the business unit instead of only becoming costs. “CFOs can use zero budgeting to show the CFO that he or she cares and knows where the spending is going, because everything will be evaluated annually,” recommends Pietrocola. Paying close attention to detail is also critical to success. “A good CISO will show the CFO the regulation, the potential fine for non-compliance, what budget it will take to mitigate a risk completely and the budget it will take to minimally reduce a risk,” says Pietrocola. Such an analysis, he believes, must be done using a line-by-line itemization and include the potential costs of ransomware and disruption of service.
Certifying compliance with the NYDFS’ requirements is nothing new. What is new is how is how compliance is defined. “Among the changes to the NYDFS’ cybersecurity certification requirement the one requiring the ability to identify material issues as part of the certification process is the most difficult to follow because it is the most subjective,” explains Joanna Fields, managing principal at financial services and risk management consultancy Aplomb Strategies in New York.
Several CISOs recently attending Legalweek in New York, who spoke with FinOps Report, also confirmed they worried about whether they can verify material compliance. Fields recommends that CEOs and CISOs consult with their firms’ legal counsels to determine which factors will define material issues, which deficiencies must be disclosed and how remediation will be done. Following the motto of “the truth will set you free” is a double-edged sword. Omissions can generate hefty fines and full transparency can also open a Pandora’s box to further investigation and potential penalties.
The accepted new litmus test for material compliance appears to be not what it is, but what it is not. Material does not mean an absolute 100 percent compliance rate. It also doesn’t mean being compliant with most of the NYDFS’ requirements. “The best interpretation is that whatever is wrong with the firm’s cybersecurity program won’t be enough to harm the covered firm,” says Cathy Mulrow-Peattie, a partner with the law firm of Hinshaw & Culbertson in New York. However, what is material for a covered firm may not be material for its affiliates and the covered firm is required to certify material compliance for all of its affiliates. Therefore, a separate analysis must be conducted for each one. According to the NYDFS, a covered entity may adopt an affiliate’s cybersecurity program in whole or in part as long as the covered entity’s overall cybersecurity program meets all of the relevant requirements. The covered entity would still be responsible for its own compliance and certification on an annual basis.
The need for both the CEO and CISO to sign off on material certification will prompt their relationship to evolve because they must find common ground. “The CEO must repeatedly ask the CISO about his or her analysis of the firm’s risks and proposed improvements,” says Herring. “The CISO will, in turn, question his or her subordinates in application development, testing and procurement to sign off on the preparedness of their units.” Because the discussions will be ongoing by the time April 15 rolls around the CEO and CISO will hopefully not lose any sleep over signing the certification.
The procurement department needs to be involved in the certification process because it is responsible for negotiating contracts with external vendors which must also have policies and procedures in place to ensure cybersecurity hygiene. For covered firms that have too many vendors, the best methodology would be to focus on those which are the most critical to a firm’s operations and hold the most personal identifiable information, panelists at Legalweek in New York explained.
Vendor cyber-risk management is just one of the tasks which could make it difficult to sign off on material compliance. The others are the constant change of cyber threats and the risk posed by remote and non-full-time employees. “There could be nefarious action by remote and non-employees, or simple negligence,” says Pietrocola. As remote or hybrid work continues after the COVID pandemic, the risk of cyber breaches also rises as employees use weak passwords, work in public places, and conduct business on their private devices. Virtual private networks used to secure remote access to a company’s network are ripe for attack if they are poorly configured.
The saving grace for covered firms is that they don’t have to recreate the wheel when it comes to developing a methodology for complying with the April 15 certification deadline. Herring and other legal experts recommend relying on the 2002 Sarbanes-Oxley Act for guidance while Fields suggests broker-dealers could leverage their governance framework for the SEC’s 2010 Market Access Rule. Both regulatory measures require a CEO to sign off on compliance. In the case of Sarbanes-Oxley, a CEO must certify the firm’s internal controls are in place to ensure the correct financial results. The Market Access Rule requires a CEO to ensure that when accessing an exchange or alternative market system, the firm has the correct risk management procedures in place.
Regardless of which regulation provides the best strategy for cybersecurity certification, the obvious should not be overlooked. Multiple departments must be involved in the certification process, and everyone needs to do his or her part. Hopefully, employees will have sufficient knowledge of cybersecurity to be confident the firm can attest to cybersecurity readiness or understand the shortcomings. “An IT director claiming that everything is fine, or executives refusing to take sign an attestation are two red flags,” says Herring, who previously worked as the executive deputy superintendant of the NYDFS’ cybersecurity division.
The difficulty faced by CEOs in signing off on material readiness will be magnified for those in foreign headquartered firms due to geographic distance. Foreign banks might have a director of US operations or even a New York branch manager, but their CISOs are located overseas and typically consulted only when a US cybersecurity breach is suspected or has occurred. “Our relationship will have to change from a reactive to a proactive one to meet the NYDFS’ requirements,” one New York branch manager at a foreign bank tells FinOps Report. “I don’t have enough knowledge to understand all the legal and technical ramifications, so I will need to get up to speed to sign the certification.” Even senior-ranking North American directors at foreign banks must become more knowledgeable about their cybersecurity operations if they are not relying on the same procedures and technology as their parent bank or have little contact with their CISOs abroad.
The new role of board of directors, as a financial firm’s senior governing body, starts to come into play as of April 29. The distinction in requirements for a board between the April 29 deadline and the November 1 deadline is a bit hazy, but it appears that the April 29 requirements place more onus on a CISO than on a board of directors. Beginning April 29, the CISO must inform the board about the firm’s policies and procedures to mitigate risk. The analysis should allow cyber controls to be revised to account for technology advances and evolving cyber threats.
The NYDFS has expanded the factors to be considered in evaluating risk beyond network hacking to reputational and customer risks, but never defines the latter risks. “Part of the CISO’s risk assessment should be an understanding of the risks to an organization’s reputation and customers if there are insufficient cyber controls and a subsequent incident occurs,” says Mulrow-Peattie. Calling cybersecurity a team sport, she recommends that covered firms include the finance, marketing, compliance and legal teams when making a risk assessment.
As of April 29, the CISO must also present a business continuity plan must also be presented to include how the firm will resume operations in the event of a data breach. While developing a business continuity plan is common practice, covered firms must now incorporate a twist. The NYDFS wants to know how technology systems will be returned to normal after a ransomware payment. “There are more onerous challenges to resuming operations after a ransomware payment than with other data breaches,” explains Herring. “In addition to restoring encrypted systems, the CISO must verify that the firm has left no stone unturned to ensure the perpetrator cannot find any gaps to reenter its systems.”
Several panelists at Legalweek in New York also pointed to the need for the business continuity plan to include a description of who will be contacted and when a cyber breach is discovered. The reason: escalation is critical to ensuring the right C-level decisionmakers will be available to plan how to mitigate the damage and return operations to normal as quickly as possible. Keeping an inventory of what type of data is held and where it is stored is important to determining the impact of the breach when reporting the incident and correcting any problems. Cyber insurance companies will also be keener to pay up if the proper documentation exists.
The November 1 deadline is the last chance boards of directors will have to get their houses in order, because that is the date their official responsibilities come into play. Among those responsibilities is confirming that their firms have allocated sufficient resources to implement and maintain effective cybersecurity programs. The CISO no longer has to do so. “In recognition of the fact that senior governing bodies, not CISOs. tend to make enterprise-wide resource allocation decisions, the NYDFS shifted that responsibility to the senior governing body,” writes the law firm of Gibson Dunn in a recent blog.
What happens if a board doesn’t have enough experience in cybersecurity to make the right decisions? It might be time to replace some board members with others that do, legal experts attending Legalweek in New York told FinOps Report. Some boards have subcommittees dedicated to cybersecurity, but the majority have members with limited cybersecurity knowledge.
If CISOs, CEOs and boards of directors at financial firms covered by the NYDFS’ cybersecurity rules think their biggest immediate worry should be complying with some of its requirements this year, they would be wrong. “When key regulatory regimes, such as the NYDFS and the Securities and Exchange Commission diverge, it can create challenges for companies that must adhere to both sets of requirements,” says Danette Edwards, a partner at Katten Muchin Rosenman in Washington, D.C. and former senior counsel at the SEC’s Division of Enforcement.
The NYDFS’ rules appear to be more prescriptive than the SEC’s and they include corporate governance to reduce the potential for cyberbreaches. The SEC is more focused on disclosure and requires material cybersecurity incidents– namely breaches– to be reported to the public within four business days, instead of the NYDFS’ three to the agency. Unlike the SEC, the NYDFS includes ransomware and extortion payments in its definition of cyber events. The covered firm under New York’s law must inform the NYDFS about any payment within one day of making the payment. Within thirty days, an explanation must be provided as to why the payment was necessary and what alternatives were considered. “Regardless of the distinctions between the NYDFS and the SEC’s rules, covered firms making any disclosures of cybersecurity events to both agencies should ensure that the information given to regulators is consistent,” says Mulrow-Peattie.
While extensive, the NYDFS’ recent changes to its 2017 cybersecurity regulation also might not be its last. “The proliferation of artificial intelligence, generative artificial intelligence, and large language models is on the NYDFS’ radar and may receive attention in forthcoming amendments,” writes the law firm of Gibson Dunn in its recent blog on cybersecurity. Although the NYDFS did not dedicate a section of its new regulation to artificial intelligence, the agency did recommend that covered firms include AI technologies when making risk assessments.