In parts I and II of the series on New York state’s new banking security regulations, we explored the requirements due by August 28, 2017. It is likely that if you are a Financial Institution operating within the state, you probably have most – if not all of these items - in place already. In this last segment, we will focus on what is due by March, 2018 and beyond.
Beginning August 28, 2017
Notice of Cybersecurity Events to the Superintendent. Covered Entities must start notifying the NYDFS no later than 72 hours after it determines an act or attempt, successful or unsuccessful, was made to gain unauthorized access to, disrupt or misuse an "Information System" (separately defined) or the information stored on it, if the event (a) requires notice to a government body, self-regulatory agency or any other supervisory body, or (b) has a "reasonable likelihood of materially harming any material part of the normal operation" of the Covered Entity.
What exactly does that mean? The successful breach and its subsequent reporting should come as no surprise to anyone. This represents standard operating procedure. It’s the indication of “attempt” or “unsuccessful” that got me scratching my head. Unsuccessful attempts on an FI happen constantly. What delineates a reportable instance vs. those that are blocked at the firewall or the IDS? It turns out the final sentence – "reasonable likelihood of materially harming any material part of the normal operation" is the key. This last minute addition, resulting from participant comments, takes it from non-stop reporting process to only those breaches thwarted at the last minute. It also opens to interpretation what the word “reasonable” means. It is likely that this will be very loosely interpreted and only successful breaches will ever be reported. Expect that this part of the regulation will be tightened up in the coming months to force covered entities to report more than just an actual breach.
By March 1, 2018
Risk Assessment. Although not formally required under the Rule until March 1, 2018, until NYDFS provides further guidance, Covered Entities would be well advised at a minimum to conduct a limited risk assessment as it relates to the development and implementation of a cybersecurity program, cybersecurity policies, and access privilege restrictions specific to the company's systems, services, and data.
Roughly interpreted this section of the law requires that an entity perform an annual review, update their policies, implement changes where applicable and not let the security program stagnate as often is the case. Sad that this has to be said in writing. Also, for any federally chartered bank, kind of redundant since the federal auditors are unlikely be kind to any FI that does not maintain their security program. Still, a fair reminder, keep it going. Don’t implement changes then neglect to keep it up.
By March 1, 2022:
Because of the amount of backlash, there is a dangling requirement out there with a 5 year exemption – encryption. The participating entities considered this too burdensome to be accomplished in the near term. Not sure how you feel, but I think it’s a little scary. This technology has existed for decades. The ability to encrypt and decrypt on the fly is not a new concept. The fact that a 5 year exemption has been granted should make any consumer take a second look at their bank. If the barbarians storm the gates, it would be a huge comfort to know that my private data is full encrypted, at rest or in transit. It should be.
That sums it up folks, the new NY State bank security regulations. They are the strictest in the country. It is likely that other states will up their game to match them. Nothing included in them seems to onerous or anything, short or long term, that should not be in place already. If that is not the case, time is of the essence. Tick tock, tick tock….