In a recent letter to the 18 members of the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of the New York Department of Financial Services (NYDFS) Anthony Albanese requested collaboration and regulatory convergence among the members on cybersecurity standards for financial institutions. FBIIC member organizations include the eight federal financial institution regulatory agencies, the US Department of the Treasury, two Federal Reserve Banks, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors, and the Securities Investor Protection Corporation.
Acting Superintendent Albanese stressed the need for coordinated efforts with relevant state and federal agencies to develop a comprehensive cybersecurity framework, addressing the most critical issues while preserving flexibility to address NYDFS-specific concerns. In NYDFS’s view, potential regulations would require a financial institution to maintain a cybersecurity program covering 12 key areas:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Incident response, including by setting clearly defined roles and decision making authority
Under NYDFS’s potential cybersecurity framework, NYDFS would impose stringent standards related to cybersecurity personnel, audit trail systems, vendor/third-party service provider management, multi-factor authentication, and notification requirements. For example, NYDFS would require a financial entity to designate a Chief Information Security Officer responsible for preparing an annual cybersecurity report and submitting the report to NYDFS after it has been reviewed by the board of directors.
The potential regulations provide clear guidance on NYDFS’s expectations regarding cybersecurity programs, but would introduce new, enhanced requirements with which financial institutions would be required to comply. Both financial institutions regulated by the NYDFS as well as vendors that provide services to such institutions should closely monitor developments in this area and should expect the NYDFS to issue proposed regulations.
At this point, it is unclear the extent to which the other financial regulatory agencies are interested in coordinating cybersecurity regulation efforts, or even if cybersecurity is a priority item. In our view, it is unlikely that the NYDFS will significantly delay its own cybersecurity regulations to wait for input from other agencies.