In early 2017, the New York Department of Financial Services (NYDFS) released comprehensive Cybersecurity Requirements for Financial Services Companies (NYDFS 500) that will require financial institutions operating in New York state to build cybersecurity programs—complete with security policies, technical controls like encryption and third-party risk management programs. The new regulations will require affected institutions to certify compliance annually, and NYDFS examiners will review compliance as part of their routine examinations. If found to be non-compliant, institutions could face disciplinary actions or monetary fines. Because this regulation applies to all financial institutions that have presence in New York state, many non-U.S. firms must comply. Balancing NYDFS 500 and global requirements will provide unique challenges to New York branches of foreign institutions.
While NYDFS 500 contains specific legal requirements, such as notification and annual certification, many of the requirements are less prescriptive, including several with which firms must comply by September 1. Many of these involve the implementation of controls based on risk, which requires the branch office to take a holistic approach.
For example, firms will have to keep an audit trail of financial transactions and hold this data for five years. It will be challenging and time-consuming to determine the key transactions organizations require to operate, figure out how to store these transactions in a secure fashion and then recover them when needed. In addition, the new regulations will require firms to keep audit trails on security events for the previous three years. The industry standard for such security audit trails has traditionally been 30 to 60 days, so this presents new challenges in terms of data storage. Lastly, NYDFS 500 requires firms to encrypt all nonpublic information for data at rest or being transmitted over external networks.
Given the complexities of the constantly evolving regulatory landscape, many foreign institutions continue to struggle with how to demonstrate compliance or quickly implement remediation plans prior to NYDFS 500’s various milestone dates, including September 3. In particular, global institutions face three key challenges with the upcoming requirements:
- Aligning security controls with global initiatives. Although an institution’s global security program or policies might incorporate its New York branch, those global initiatives might not identify applications that are critical to the New York branch. In addition, controls, like encryption, might not be in place. In these cases, the New York branch might need to implement a specific controls framework or identify compensating controls.
- Identifying all the technologies that support the New York branch and the transactions of New York customers. It’s more than just data that goes through New York state; it’s the processes and procedures that support the management of customer data and nonpublic information. Having these procedures in place will be critical as firms must securely store financial transactions and security events as part of the audit trail by September.
- Defining a New York-based employee who has the authority to make changes and is responsible for the program. A financial institution should understand the risks that are specific to its New York branch and have a local employee assigned to be responsible for the cybersecurity program. This could be an individual who reports to a global CISO, but it will be important that someone at the branch is able to talk to the regulators and is educated on the cybersecurity risk of the organization. As the final transitional deadlines approach in March 2019, an institution will find it critical to have an individual working at its New York branch who fully understands the cybersecurity program and the New York business and can therefore appropriately respond to examiner requests.
Ultimately, foreign institutions need to make sure their New York branches are fully prepared to adapt and comply from a cybersecurity perspective. It’s important—as firms prepare for the upcoming September deadline—that they are prepared to show their New York branch programs to examiners. The onus is on firms to choose the right approach to compliance. They shouldn’t underestimate the breadth of changes needed to comply with these requirements or the efforts needed post-implementation to ensure that the controls and cybersecurity program continue to address evolving risks.
Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals and readers should seek advice specific to their organization’s needs, which may vary and require unique action.