The New York Department of Financial Services (NYDFS) has distributed a letter to various federal and state regulatory agencies and associations proposing the development of new cybersecurity regulations for financial institutions. The letter states that cybersecurity is “among the most critical issues facing the financial world today” and that there is “a demonstrated need for robust regulatory action in the cybersecurity space.”

The NYDFS proposal arises in part from the cybersecurity survey that the NYDFS conducted of more than 150 regulated banks and the subsequent findings in the survey reports released earlier this year. The letter identified the following key regulatory proposals that are currently being considered and would require financial institutions to:

• Implement and maintain written cybersecurity policies and procedures addressing a variety of cybersecurity topics, including data governance, application development, customer data privacy, and incident response.
• Implement and maintain policies and procedures relating to third-party service providers with access to financial institutions’ sensitive data and systems.
• Use multi-factor authentication for customer access to web applications that captures or displays confidential information, privileged access to database servers that allow access to confidential information, and any access to internal systems or data from an external network.
• Designate a Chief Information Security Officer (CISO), who would be required to submit annual reports to the NYDFS.
• Implement and maintain written procedures, guidelines, and standards relating to applications security, which the NYDFS believes should be reviewed on an annual basis by the CISO.
• Employ adequate cybersecurity personnel, including mandatory cybersecurity training for such personnel.
• Conduct annual penetration testing, conduct quarterly vulnerability assessments, and maintain audit trails and activity logs.
• Notify the NYDFS “immediately” of any cybersecurity incidents that have a reasonable likelihood of materially affecting the normal operations.

Although the NYDFS did not provide a timeline for when it expects to release the proposed cybersecurity regulations, it expressed the hope that the letter would “help spark dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cybersecurity standards for financial institutions.” These efforts could also prompt these regulatory agencies and associations to accelerate their own cybersecurity initiatives, which might incorporate elements of any NYDFS regulations. Any cybersecurity regulations issued by NYDFS would need to be read in conjunction with federal requirements and guidance, such as the recently released FFIEC Cybersecurity Assessment Tool.

Financial institutions should be aware of the realistic possibility that any regulations imposed by the NYDFS could become the de facto national standard. Although the NYDFS is only seeking input on its cybersecurity proposals at this time from the regulatory agencies and associations to whom the letter was sent, financial institutions should look for opportunities to engage the NYDFS as it moves forward in developing regulations.