NY Proposes “First in Nation” Cybersecurity Requirements
With a special shout-out to those of you who attended the Legal & Compliance Conference at the beautiful Turning Stone Casino, good morning.
In case you missed it, on Tuesday, New York State made big news when Governor Cuomo announced that the state was imposing Cyber Security Requirements on Financial Service Businesses. This is just a proposal but it is the culmination of years of work by the DFS in this area. Those of you affected will only have six months to get up to speed, so pay attention.
First, the real basic stuff. The regulation would apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law. A “person” means any individual, partnership, corporation, association or any other entity. A carve out from many, but not all, of its requirements is made for entities with fewer than 1,000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets.
What are the requirements? Institutions would be required to have a cybersecurity program that addresses six major functions, including: the identification of cybersecurity threats based on the sensitivity of the nonpublic information stored by the institution; an infrastructure for defending against cyberattacks; the ability to detect cyberattacks; the ability to respond to and mitigate attacks; plans for recovering from attacks; and procedures for meeting new regulatory reporting obligations.
It’s really hard to argue with the general thrust of this proposal. There is very little being suggested that you shouldn’t already be doing. In fact, I would like to see the DFS clarify the extent to which procedures that financial institutions already have in place can be used to satisfy many of these requirements. For example, both state and federal credit unions are already required to have policies that implement “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.” (12 C.F.R. § Pt. 748, App. A).
Stay tuned and feel free to give me feedback as the Association ponders what comments it should make to the DFS.
If Wells Fargo thought it was out of the woods by firing over 5,000 low level employees and giving a $124 million “sorry we had to fire you” severance to a departing executive, it may have miscalculated. The WSJ is reporting that Federal Prosecutors are in the early stages of investigating possible criminal malfeasance on the part of the bank.