Cutting down one risk — that of a cybersecuity breach — is promising to add a lot more risk of other kinds. Those would be increased costs and liability.
The New York State Department of Financial Services has gone further than its federal peers by mandating hard and fast policies instead of risk-based methodology to control cybersecurity risks. The state has just published proposed rules requiring financial firms to follow 14 criteria for mitigating cybersecurity threats. In addition, firms would have to annually certify they are compliant, and to report any cybersecurity “event” within 72-hours.
Comments on the proposals are due by November 12 and financial firms would have to comply as of June 30, 2017. That is only six months after the NY DFS’s suggested January 1, 2017 effective date.
The NY DFS’ proposed rules wouldn’t be the agency’s first leap into cybersecurity. It issued its first report on cybersecurity risks in the banking industry in May 2014 followed by one for the insurance market in February 2015 and a third one about the use of third-party service providers in the banking sector in April 2015. The NY DFS made its intentions to exceed federal cybersecurity rules in a letter to federal regulators in November 2015.
The proposed rules, considered the first-of-their kind for any US state, would cover any business regulated by the NY DFS which could mean anyone from a giant global bank all the way to a small check casher. The proposals come after some of the world’s largest banks, including JP Morgan Chase and HSBC, have reported significant cyber intrusions and several US corporations have been the target of hacking thefts of customer information.
For New York’s largest financial institutions, the proposed rules might not sound all that onerous. After all, they already following overlapping regulations from the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Commodity Futures Trading Commission. However, the NY DFS proposal has far more prescriptive elements and from what New York bank compliance managers tell FinOps Report even the most technologically sophisticated and deep-pocketed financial firms have probably not met all the requirements.
“Federal regulations allow some flexibility in how banks and broker-dealers handle their cybersecurity responsibilities depending on their size and their evaluation of the potential risk involved,” explains Charles Horn, a partner with the law firm of Morgan Lewis & Bockius in Washington DC. “Not so with New York State’s proposed requirements which dictate what covered financial institutions should do in all circumstances. The state has taken a thou-shalt approach.”
Are the new rules worth the effort? Not everyone thinks so. “Effective cybersecurity should be flexible and tailored to the risks and needs of the cybersecurity program,” insists Horn. “These rules fail to recognize the burdens imposed by the new regulatory requirements and result in higher costs without necessarily more effective cybersecurity programs.”
Large US and foreign institutions with multiple subsidiaries or branch offices typically implement a single enterprise-wide cybersecurity policy at the holding-company level, explains Nathan Taylor, a partner with the law firm of Morrison & Foerster in Washington DC. New York State’s new rules, if implemented, would likely require them to deviate from that policy for their New York-regulated subsidiaries or branch offices. The compliance challenge could end up being quite troublesome if New York State’s rules deviate significantly from a bank or brokerage’s current practice.
The state’s 14 commandments outlined in its “Cybersecurity Requirements for Financial Services Compliance” must be established and monitored by a dedicated cybersecurity information risk officer. The requirements include ensuring customer data privacy, the management of vendor and third-party service providers’ cybersecurity policies, incident response, and incident reporting.
What’s So Hard
Of all the new requirements, the most difficult will likely be the annual certification of cybesecurity preparedness, the encryption of all non-public information, multifactor authentication, and reporting of any cybersecurity event, say legal experts. Banks and broker-dealers typically establish documented cybersecurity program with policies and procedures to follow. However, none of the federal regulations require certification by a senior-ranking official. Certification means that that the bank is attesting that it has met all of the cybersecurity requirements. The board of directors will likely pass the buck to a senior company official who will have to confirm whether the bank or brokerage firm’s multiple business lines and functional units — compliance, operations and technology– have done their jobs correctly.
“The annual compliance certification potentially opens the board of directors and the senior officer to serious liability if the certification is later found to be inaccurate or inadequate,” says Horn. “Moreover, the NY DFS has not provided guidance on whether a covered entity could explain material noncompliance matters and remediation efforts taken in response to such matters.” The result: directors and senior officers would likely be reluctant to sign any certifications.
Banks and brokerages will also have to encrypt all of the information on hand — everything located on a database, server or even a mobile device regardless of just how sensitive it is. Unlike federal regulations which call for banks and brokerages to decide on the level of encryption depending on the importance of the information, the NY DFS is taking a one-size fits all approach. “This is dramatic in light of the broad definition of non-public information and would exceed a sensible standard,” says Taylor. “As a practical matter, this would likely mean that a covered financial institution would have to encrypt every system and device that handles any customer information as well as every email sent to a customer.” The costs and operational impacts to availability access could end up being quite hefty.
The NY DFS’ requirement for multifactor authentication in multiple contexts including all remote access from an external network and privileged access to database servers is also problematic. The language of the rules is far too muddled and their application could be more extensive than existing federal standards that allow for flexibility to implement multifactor authentication. “Does ‘privileged access’ mean any access to non-public information and would it include non-user access such as machine use of service accounts?,” asks Taylor. “The proposed rules would also require risk-based authentication for access to web applications that handle non-public information and supporting multi-factor authentication for any individual accessing such web applications. The proposal is not clear if its focus is internal access, customer access, or both.”
Even more challenging than requiring such expansive encryption and multifactor authentication for a bank or broker-dealer is requiring it for third-parties. The definition of third-party includes just about any organization a covered financial firm does business with. “In light of the breadth of the proposed encryption and multifactor authentication requirements, the obligation to flow down to third parties will present significant challenges in the vendor procurement process,” says Taylor.
Even if banks and brokerages have prepared to the hilt for a potential cybersecurity breach, it can happen. There is no such thing as 100 percent cybersecurity protection. However, based upon what the NY DFS has indicated in its proposed rules, it is unclear whether the financial firm should notify it only when an actual breach occurred or even it may suspect a potential breach took place.. “‘When in doubt, report everything’ will become the new motto, particularly because of the 72-hour timeframe to report,” says Horn. “By contrast, federal regulations allow the financial firm to determine its own timeframe for reporting.”
The NY DFS is asking for public comment but given the short time frame and its clear intent to exceed federal regulations, banks and broker-dealers shouldn’t count on too much on the NY DFS drastically changing its original proposal. For now, recommends Taylor, financial firms covered by the rules should analyze the extent they must change their current procedures and technology if the NY DFS adopts the rules as proposed.
“For the largest banks and broker-dealers that have mature compliance and information security functions, compliance with the new rules will be far easier to implement than for the smaller to mid-sized ones,” warns Taylor. “If a financial firm hasn’t established a solid cybersecurity program by now, it will definitely need to rely on outside cybersecurity consultants to help out, because the time period proposed for compliance is so short. Even so, if a financial institution is starting from scratch, it may not be possible to develop compliant policies and procedures by the 2017 deadline.”
One final bit of advice: speaking up about what is and isn’t achievable still might influence the NY DFS to adjust some of its requirements, says Taylor. “It’s now about asking the NY DFS to take into consideration what is practical. It might consider adjusting its encryption and multifactor authentication requirements.”