On September 13, 2016, New York Governor Andrew Cuomo, and the state’s top banking regulator (New York State Department of Financial Services – NYDFS) proposed regulations that would be among the first in the US to require banks to establish cybersecurity programs. If implemented, the proposed regulations would increase the burden on banks and insurers to invest in cyber protections that could cost millions of dollars. Banks would be required to hire a chief information security officer and implement measures to detect and deter cyber intrusions, and thus protect consumer data.1 The proposed new regulations will apply only to banks and other financial services companies licensed by New York State, and not to nationally chartered institutions. As the first regulator to issue guidelines involving cybersecurity, the NYDFS will be setting an example for other regulators at the State and Federal level. The new regulation is subject to a 45-day notice and public comment period before final adoption.

What this Means

The planned regulations, which have been discussed since 2014, follow a series of high profile hacking incidents, and surveys by the NYDFS among the nearly 200 companies under its watch on their cybersecurity programs.2 One 2015 NYDFS report revealed that a third of banks in a 2014 survey did not require outside vendors to notify them of data breaches which could compromise bank data.3

The new regulations would mandate institutions to regularly test their cybersecurity systems. The newly appointed chief information security officer would be required to present twice-yearly reports on progress and vulnerabilities to the firm’s board of directors, and make those findings available to the NYDFS. The proposed regulations will also require annual risk assessments and penetration testing, in which hackers test cyber defenses, encryption of all non-public information transmitted to a bank or stored by it, and hiring and training of cybersecurity focused employees.4 Other measures would include appointing overseers for outside vendors, and limiting access to customer non-public information, such as social security numbers, to employees who need those details. Systems would have to include multiple steps to verify user identities.5 Additionally, board chairmen and/or senior compliance officers would be held accountable, having to file annual certifications with the NYDFS, stating that, to the best of their knowledge, their companies cybersecurity programs comply with the regulation. This would potentially expose such individuals to criminal liability if controls are found to be inadequate.6

Key Observations and Take-aways 

NYDFS regulates state-chartered and foreign banks licensed to operate in New York State, and all insurance companies that do business in the state. The plan was previewed in 2015, on the same day US prosecutors unveiled criminal charges against three men accused of running a series of hacking and fraud schemes, including a 2014 attack against a global financial institution that generated hundreds of millions of dollars of illegal profit. The intrusion renewed concerns that hackers could easily wreak havoc with the US financial infrastructure.7

In part as a result of the increased risk of hacking, large banks and insurance companies have built their own cybersecurity systems in recent years, often at the expense of hundreds of millions of dollars. Therefore the biggest impact of the new regulations is likely to be on medium and smaller banks and insurers, who may now need to bring their cybersecurity programs up to, at the very least, a mandated minimum standard.

In announcing the new proposals, Governor Cuomo indicated that the regulations would “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”8 The proposed regulations include required minimum standards, but will allow companies to assess their own risk in order to encourage industry innovation.9 NYDFS Superintendent Maria Vullo, who has recently replaced Benjamin Lawsky, an aggressive pursuer of financial crime, said: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks”.10

The focus on cybersecurity, comes as hackers increasingly aim their sights on Wall Street, putting further pressure on financial institutions to develop innovative solutions to address complex and dynamic regulation.

References

  1. “New York Proposes Cybersecurity Regulations for Banks,” The Wall Street Journal, September 13, 2016. Access at: http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867.
  2. “New York issues cyber regulations for banks, insurers,” Reuters, Technology News, September 13, 2016. Access at: http://www.reuters.com/article/us-new-york-cyber-regulations-idUSKCN11J20M.
  3. Ibid
  4. “New York Proposes Cybersecurity Regulations for Banks,” The Wall Street Journal, September 13, 2016. Access at: http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867.
  5. “New York issues cyber regulations for banks, insurers,” Reuters, Technology News, September 13, 2016. Access at: http://www.reuters.com/article/us-new-york-cyber-regulations-idUSKCN11J20M.
  6. “New York issues cyber regulations for banks, insurers,” Reuters, Technology News, September 13, 2016. Access at: http://www.reuters.com/article/us-new-york-cyber-regulations-idUSKCN11J20M. “New York Proposes Cybersecurity Regulations for Banks,” The Wall Street Journal, September 13, 2016. Access at: http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867.
  7. “New York Proposes Cybersecurity Regulations for Banks,” The Wall Street Journal, September 13, 2016. Access at: http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867.
  8. “New York Financial Regulator Rolls Out Cybersecurity Proposals,” Bloomberg Technology, September 13, 2016. Access at: http://www.bloomberg.com/news/articles/2016-09-13/new-york-financial-regulator-rolls-out-cybersecurity-proposals.
  9. “New York Proposes Cybersecurity Regulations for Banks,” The Wall Street Journal, September 13, 2016. Access at: http://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867.
  10. “New York Financial Regulator Rolls Out Cybersecurity Proposals,” Bloomberg Technology, September 13, 2016. Access at: http://www.bloomberg.com/news/articles/2016-09-13/new-york-financial-regulator-rolls-out-cybersecurity-proposals.

 

Newsletter Author: Samantha Regan, Mairi Bryan

Newsletter Contact Person: Nghi Pham

Visit www.accenture.com/RegulatoryCompliance for latest insights on regulatory remediation and compliance transformation.

Disclaimer

This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture:

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com.

 

Copyright © 2016 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative.

Submit a Comment

Your email address will not be published. Required fields are marked *