December 17, 2015

NY Banking Regulator Takes the Lead on Potential Cybersecurity Standards

This recent memo from New York’s State Department of Financial Services (NYDFS) to federal and state banking, securities and insurance regulators contains a robust list of potential new cybersecurity requirements that would apply to NY financial institutions – including a requirement to have a designated CISO responsible for (among other things) overseeing and implementing the organization’s cybersecurity program, enforcing its cybersecurity policy, and submitting an annual report to the NYDFS that assesses the cybersecurity program and risks – and which has been reviewed by the board of directors.

The proposed requirements would apply only to New York financial institutions; however, the memo notes benefits associated with coordinating its efforts with relevant federal and state agencies to develop a comprehensive cybersecurity framework, while retaining the flexibility to address NY-specific concerns. As such, the NYDFS purportedly welcomes dialogue/input on the proposals from other relevant regulators.

Astounding in its depth and breadth, the new regulatory requirements would be expected to cover these areas, at a minimum:

  • Implementation of written cybersecurity policies & procedures
  • Implementation of policies & procedures to ensure data security accessible to/held by third parties
  • Use of multi-factor authentication as it applies to enumerated applications, servers, data
  • Designation of a CISO with enumerated responsibilities, including annual reporting to the NYDFS
  • Implementation of procedures to ensure application security
  • Employment and training of adequate cybersecurity personnel
  • Conduct of annual and quarterly auditing-related testing and assessment
  • Immediate notification to the NYDFS of any cybersecurity incident that has a “reasonable likelihood of materially affecting the normal operation of the entity” including (among other enumerated circumstances) any incident of which the company’s board is notified

Potential CISO “Defense”?

Among the potential considerations discussed in this recently released NYSE Governance Services/Veracode report  concerning whether a company has made “reasonable efforts” to secure customer data is whether the company has a dedicated CISO.

According to the report – which discusses the results of a survey of 276 public company directors and officers concerning cybersecurity practices and liability – almost 90% of respondents believe that a company that doesn’t make “reasonable efforts” to secure its data should be held liable by regulators, and studies reportedly have shown that that companies that have a dedicated CISO detected more security incidents and reported lower average financial losses per incident. That being the case (if accurate), the report asks whether we can assume that a company lacking a CISO is, in effect, negligent, or failing to make reasonable efforts to secure its data.

Additional noteworthy survey results include:

  • 90% agree that third-party software providers should be held liable when vulnerabilities are found in their packaged software.
  • 65% of respondents say they have already begun or are planning to insert liability clauses into contracts with their third-party providers.
  • 80% of respondents stated they’ve brought the issue of cybersecurity liability to the forefront of their boardroom discussions.
  • 60% of respondents foresee an increase in shareholder lawsuits as a result of heightened corporate cybersecurity liability.
  • More than half of respondents believe investors will demand greater cyber-incident transparency from companies as a result of the increased public focus on cyber liability.
  • Majority of respondent companies say they carry some form of cyber coverage.

More on “The Mentor Blog”

We continue to post new items daily on our blog – “The Mentor Blog” – for members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:

– SEC Comment Letters: Does Auditor “CC” Signal Materiality?
– EDGAR: Having Trouble Displaying Graphics
– IPOs: Does Loyalty Count?
– Vertical Promotion is Not Always Route to a GC Job
– SEC Approves Proposed Research Analyst Rules


– by Randi Val Morrison