New York’s Proposed Banking Cybersecurity Regulation, And Why It’s Relevant To Community And Regional Banks Outside Of New York.

On September 13, 2016, New York’s Department of Financial Services announced a proposed new cybersecurity regulation covering banks, insurance companies, and other financial service providers. The regulation goes into effect on January 1, 2017.

In sum, the proposed regulation requires covered entities to:

1. establish a cybersecurity program;
2. adopt a written cybersecurity policy addressing a range of required topics;
3. designate a Chief Information Security Officer (“CISO”) responsible for implementing the cybersecurity program and reporting to the board bi-annually;
4. mandate that vendors adhere to certain minimum cybersecurity practices; and
5. implement a range of security policies, including annual risk assessments, maintenance of an audit system to track access, and regular employee training.

The New York Department of Financial Services has provided a more detailed outline of the regulation’s requirements at:

https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/DFSCybersecurityRegulations.pdf

Should community and regional banks operating outside of New York care about the proposed regulation? Yes. There are at least three reasons why. The bottom line is that the proposed regulation calls for tighter cybersecurity standards and may have long-term spill-over effects on banks outside of New York.

First, the numerous banks operating in New York will bolster their cybersecurity programs to comply with the proposed regulation. Those banks’ compliance could set the cybersecurity “reasonableness” standard for all US lenders, as discussed in a September 15 American Banker article. A heightened reasonableness standard may, in turn, affect your bank.

What constitutes reasonable cybersecurity protection is relevant to many issues facing lenders. To provide a few examples: the Gramm Leach Bailey Act and accompanying regulation require financial institutions to establish data protection standards consistent with reasonable industry practices. See, e.g., 16 C.F.R. § 314.3. Failure to comply with reasonable data protection standards may subject a lender to a negligence suit in the event of a data breach. See Shames-Yeakel v. Citizens Financial Bank, 677 F. Supp. 2d 994, 1007-8 (N.D. Ill. 2009). And cyberinsurance providers often require insureds to adhere to reasonable industry practices; insurers may look to the proposed regulation as establishing reasonable requirements for all insured banks, regardless of whether they are located in New York.

Second, the proposed regulations may signal a gradual tightening of cybersecurity regulations on banks. The proposed regulations exceed some of the suggested standards in well-known cybersecurity guidelines, such as the Federal Financial Institutions Examination Council cybersecurity assessment tool and the National Institute of Standards and Technology Cybersecurity Framework. The proposed regulations exceed those standards in requiring encryption of all broadly defined “nonpublic” information and multi-factor authentication for individuals accessing sensitive internal systems.

Third, the proposed regulations may be the start of increasing state, and possibly federal, cybersecurity regulation on lenders. New York’s action may spur other states’ regulators to promulgate their own cybersecurity regulations. Differing state regulations will create compliance costs, and a divergent series of state regulations may prompt federal regulation or legislation to create uniformity.