New York State Department of Financial Services Cybersecurity Regulation Poised to Reshape Existing Regulatory Landscape
In late December, New York State’s Department of Financial Services (“DFS”) released its revised proposed cybersecurity regulation (the “DFS Rule”). While the revisions pare back some of the DFS Rule’s original requirements and add some much needed flexibility, the regulation will still impose many new obligations upon a wide array of financial institutions doing business in New York. The DFS Rule will become effective on March 1, 2017.
The DFS Rule imposes a host of specific requirements upon entities operating pursuant to a license, registration, charter, or similar authorization under New York’s Banking, Insurance, or Financial Services Laws (the “Covered Entities”) relating to the development and functionality of cybersecurity programs. Among other things, an entity’s program must protect nonpublic information and the confidentiality, integrity, and availability of information systems. The Rule calls for written policies and procedures, risk assessments, monitoring and testing, audit trails, access controls, application security, third party service provider cybersecurity standards, encryption, data retention, specific hiring and training practices, incident response planning, notification to the DFS regarding cybersecurity events, and annual compliance certifications. A covered entity must designate a Chief Information Security Officer to oversee and implement its cybersecurity program, policies, and procedures.
DFS regulates numerous types of financial entities in New York, including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers and bankers. The DFS does not have jurisdiction over broker-dealers and registered investment advisors.
The DFS Rule has been met with resistance from various sectors of the financial industry, whose lobbying arms argue that the rule creates conflicts with existing national cybersecurity regulations and best practices. They also claim that the new rule presents the potential for duplication and confusion. One comment letter, submitted by a group that included the Securities Industry and Financial Markets Association, American Bankers Association, and the Financial Services Roundtable, stated: “Financial firms already have designed their cybersecurity programs to implement the NIST Cybersecurity Framework and comply with the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and cybersecurity regulations under the Gramm-Leach-Bliley Act (‘GLBA’), which also adopt risk-based approaches.”
To this point, financial firms have certainly become used to fulfilling their cybersecurity obligations under the national rule-making regime that has been in place for the last 15 plus years. The primary existing federal counterparts to the DFS Rule are regulations derived from the GLBA Safeguards Rule. See 15 U.S.C. §§ 6801-09. The GLBA Safeguards Rule sets forth high-level cybersecurity directives, but mainly delegates rulemaking authority to various government regulators to promulgate information security rules applicable to entities under their respective jurisdictions. These include the Office of the Comptroller of the Currency (“OCC”), Board of Governors of the Federal Reserve System (“Federal Reserve”), Federal Deposit Insurance Corporation (“FDIC”), Office of Thrift Supervision (“OTS”), National Credit Union Administration (“NCUA”), Securities and Exchange Commission (“SEC”), and the Federal Trade Commission (“FTC”). The GLBA clarifies that insurance entities are beholden to the rules of the insurance authorities of the states in which they are domiciled.
In June 2000, the SEC issued its final agency rule addressing information safeguards (the “SEC Rule”). In January and February 2001, the OCC, Federal Reserve, FDIC, OTS, and NCUA, adopted substantively identical safeguard rules (the “Interagency Rules”) that apply to each of the entities those agencies regulate. In May 2002, the FTC issued its safeguards regulation (the “FTC Rule”). Since that time, most state insurance overseers separately passed their own regulations, although none are as comprehensive as the DFS Rule. The content of these sets of rules differed. As a result, different types of entities found themselves following different rules. For example, a broker-dealer abided by the SEC Rule, while a credit union was beholden to the Interagency Rules.
By contrast, the DFS Rule is less discriminate in its application, covering any entity operating pursuant to a license, registration, charter, or similar authorization under New York’s Banking, Insurance, or Financial Services Laws. In the event the new DFS Rule is applicable to entities subjected to rules promulgated under the GLBA, such application would generally be permitted, as the GLBA provides that a state regulation may afford persons greater protections than those provided under the GLBA Safeguards Rule. While the DFS Rule diverges from the SEC, Interagency, and FTC Rules to varying degrees, it is consistently more prescriptive and particularized, and thus stands in fairly stark contrast with the existing cybersecurity legal landscape.
Despite the entrenched resistance, the DFS is sticking by its modifications and is preparing for the Rule’s March 1, 2017 rollout. Whether the DFS Rule will create overlap, confusion, and duplication remains to be seen. However, most financial firms under DFS oversight likely have established cybersecurity programs already in place. Thus, the real challenge will be conforming those programs to the Rule’s new requirements.
The DFS Rule represents a departure from the relatively flexible information security regulatory regimes that have been in place for over a decade. Instead, it offers a more comprehensive and particularized set of rules that some have deemed a “one-size-fits-all” approach. However, the DFS has responded to this critique with its recent revisions, adding flexibility to the regulation by allowing entities to take measures commensurate with their firm-specific risk assessments. Even so, the Rule is poised to make its mark and immediately influence how the financial services industry and its regulators approach the critical issue of cybersecurity, and may serve as a precedent for future state or federal regulations.