The rules address a broad range of cybersecurity issues, from the maintenance of written policies, governance and auditing, to detection, defence and response measures, testing requirements and incident reporting.
The new regulation (14-page / 342KB PDF) has been set by the New York State Department of Financial Services (DFS) and will apply to firms holding a banking, insurance or financial services licence to operate in New York. A limited number of exemptions apply, including for firms with few employees or low revenues or assets.
The rules are effective from 1 March, but firms will have 180 days to make any changes necessary to comply before enforcement action would be threatened, with a longer transitional period in place for compliance with some of the new rules.
Under the new rules, financial services companies will be required to "maintain a cybersecurity program" that can "protect the confidentiality, integrity and availability" of their information systems. The program must incorporate detect, defence and response mechanisms, including regulatory reporting obligations, as well as penetration testing.
The firms must design their cybersecurity program in line with their own risk assessments, which must provide for the secure maintenance of systems that "are designed to reconstruct material financial transactions sufficient to support normal operations and obligations" of the firm.
The new rules also require firms to keep a record "cybersecurity events that have a reasonable likelihood of materially harming any material part of the[ir] normal operations" and to report those incidents to the DFS "as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred".
A cybersecurity event is defined as "any act or attempt, successful or unsuccessful, to gain unauthorised access to, disrupt or misuse an information system or information stored on such information system".
The firms also have to set out policies that address a range of cybersecurity issues, from information security and data governance, to access controls and systems and network monitoring, data privacy and incident response. They must also have policies and procedures in place to address cybersecurity at third party service providers they engage with.
Each firm must designate a chief information security officer to oversee the implementation of the policies and the enforcement of them. The CISO can be employed by an affiliate or third party provider, but a senior staff member must be appointed by the firm to liaise with the third party where this function is outsourced.
The firms must also "utilise qualified cybersecurity personnel" either internally or through affiliates or third party service providers to manage their cybersecurity risks and undertake activities in line with the cybersecurity program.
The new rules also back the use of encryption and multi-factor authentication procedures, or protocols that are "reasonably equivalent" of which offer "more secure access controls".
The board of directors or an individual 'senior officer' at firms must certify their firm's compliance with the new rules.
DFS superintendent Maria Vullo said: "With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information. As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks."
In a recent series, Pinsent Masons, the law firm behind Out-Law.com, looked at which people are typically behind cybersecurity breaches and the methods they use, what the common vulnerabilities are and what good IT security looks like.
The series also addressed how the legal landscape and regulatory fines are changing, as well as the rising threat of ransomware. It also looked at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities, as well as the advantages of engaging credit monitoring after a breach, and the potential benefits of taking out cyber insurance.