New York Prepares Cybersecurity Guidance for BanksNew Guidelines to Address Vendor Management, Authentication
Banks should be closely watching pending New York state cybersecurity requirements for banks, which may soon get adapted and applied country-wide.
Regulators in New York state are expected to release the new guidelines - covering cyber-resilience, vendor management and breach notification - in early 2016. And while no specific deadline for complying with the new rules has been revealed, the tone set by this new guidance will likely have a ripple effect, becoming a cybersecurity benchmark that influences not just state-level but also federal banking regulators.
"Recommendations from this state regulator, which oversees many of the country's largest financial institutions, are going to affect all of you."
Here's what we know so far: In November, Anthony J. Albanese, the acting superintendent of financial services for the New York State Department of Financial Services, published a letter detailing the department's plans to issue new cybersecurity guidance. Specifically, the department called out the need for enhanced cybersecurity oversight and numerous requirements for banks, including these requirements:
- Setting overall cybersecurity policies and procedures;
- Creating policies for managing third-party service providers' cybersecurity;
- Hiring qualified CISOs;
- Hiring qualified staff and vendors to ensure sufficient cybersecurity and cyber-intelligence capabilities;
- Ensuring CISOs enforce cybersecurity procedures and standards that ensure application security;
- Employing multifactor authentication for customers accessing online banking, and for employees and service providers accessing internal systems and data;
- Auditing all related processes;
- Maintaining cyber-incident and breach notification policies.
The detailed message to banking institutions is clear: Start bulking up your cyber-budgets now, and pay attention to the new rules forthcoming from the NYSDFS. Because recommendations from this state regulator, which oversees many of the country's largest financial institutions, are going to affect all of you.
And you don't just have to take my word for it. Here's what the NYSDFS says in its statement about the pending guidance:
"The scale and breadth of the most recent breaches and incidents demonstrate that cybersecurity is a global concern that affects every industry at all levels. There is a demonstrated need for robust regulatory action in the cybersecurity space, and the department is now considering a new cybersecurity regulation for financial institutions. The department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies, to develop a comprehensive cybersecurity framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns."
To that end, the department says it has built its proposals for cybersecurity enhancements - as detailed in the points I bulleted above - and "welcomes the opportunity to work with other regulators to develop a comprehensive approach to cybersecurity regulation in the weeks and months ahead."
Highlight: Third-Party Vendor Management
While the letter outlines some very specific recommendations, such as the need for each banking institution to hire or name a qualified CISO to be the "buck stops here" executive responsible for overseeing and enforcing the institution's cybersecurity program and policies, what really catches my attention are the new requirements relating to managing third parties.
Notably, the department - echoing recent statements from federal regulators - calls out third-party security risks as a leading cybersecurity concern. It emphasizes too that banking institutions must ensure that all of their vendors and service providers adhere to the same levels of cybersecurity standards as the banks do themselves.
"Each [financial institution] would be required to implement and maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third-party service providers," the department states. "The policies and procedures would be required to include internal requirements for minimum preferred terms to be included in contracts with third-party service providers."
Those "minimum" terms include requiring and ensuring that third parties:
- Use multifactor authentication to limit internal and external access to sensitive data and systems;
- Encrypt all sensitive data, both in transit and at rest;
- Notify the banking institution of all cybersecurity incidents;
- Contractually indemnify the banking institution against any cybersecurity incident that results in lost data;
- Allow the banking institution or its agents to perform cybersecurity audits of all third parties;
- Ensure that third parties have warranties in place for information security.
Without a doubt, managing third-party service provider risks will continue to be challenging. But as the Target breach - amongst many others - demonstrated so well, we know it's a necessity. And federal banking regulators have been hammering home the need for more third-party oversight for the past 18 months (see OCC Expands on Third-Party Cyber-Risks and OCC: More Third-Party Risk Guidance).
What Happens Next
Banks know they need to do more. But where to start? And what's the gold standard of accountability?
That's what I like about the proposal from the NYSDFS. The minimum standards it suggests for managing third-party cybersecurity are clear and precise. For example, there's not much question or confusion about what types of data must encrypted.
While there is no specific timetable for release of this pending guidance, I hope we see it become a reality sooner, not later, in 2016. And I look forward to seeing how other states' - as well as federal - banking regulators also adopt and incorporate some of these recommendations.
I also look forward to conducting a post-mortem analysis later in the new year on these moves. Is New York headed in the right direction with its outlined new guidance? Or will this be viewed by the industry as being simply more noise about compliance, and not enough about truly advancing banks' cybersecurity?