By Christopher D. Pham & N. Chethana Perera, Summer Associate
Last year, banks worldwide experienced cyber attacks through the SWIFT messaging system. Cyber criminals stole over $80M from Bangladesh Bank, and over $12M from Banco del Austro in Ecuador. A few years prior, JP Morgan had one of the largest recorded data breaches in which hackers gained access to over 83 million customers’ personal records. These events, among others, prompted federal and state legislators to increase cyber security measures. In order to combat the ever-increasing and sophisticated cyber intrusions, New York recently adopted a “first-in-the-nation” cyber security regulation (NY Regulation), which has a broader reach than the federal Gramm-Leach-Bliley Act (GLBA).
Scope of the NY Regulation
The scope of the recent NY Regulation primarily targets cyber security concerns, in contrast to GLBA which mainly targets privacy concerns. The NY Regulation applies to a wide range of businesses—any nongovernmental entity operating under a “certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Laws” of the state of New York—whereas GLBA applies to “financial institutions” significantly engaged in financial activities.
The NY Regulation also protects a broad scope of nonpublic electronic information including: (1) business-related information the tampering or unauthorized disclosure of which would cause a material adverse impact to the business, (2) any personal identification information, such as a Social Security Number or a password to an individual’s financial account, and (3) any information (except age or gender) from an individual or a healthcare provider relating to the health of any individual or his or her family members.
The NY Regulation has several new requirements. First, the regulation requires any covered entity to have certain personnel. For example, a covered entity must have a qualified individual to act as Chief Information Security Officer. This officer develops and presents a written report about cyber security concerns to the entity’s board of directors at least once annually. Covered entities must also have qualified cyber security personnel to perform and manage the entity’s cyber security functions and risks.
Second, the NY Regulation requires increased reporting obligations. Covered entities must report any attempt to gain unauthorized access to an individual’s nonpublic electronic information. In the event such an unauthorized attempt happens, covered entities have 72 hours to notify the Department of Financial Services (DFS). Beginning in February 2018, the NY Regulation also requires the chairperson of a covered entity’s board of directors to submit a certification that the institution’s cyber security practices comply with the NY Regulation.
Third, the NY Regulation requires covered entities to make all documentation relevant to its cyber security program available to the DFS. This information includes a covered entity’s: (1) written cyber security policy, (2) documentation of cyber security monitoring and testing, (3) plan to reconstruct transactions and audit trails, (4) written guidelines on risk assessment and third party service cyber security procedures, (5) written response plan to a cyber security attack, (6) annual certification of compliance, and (7) documentation on how an entity is working to address its cyber security risks.
Fourth, the NY Regulation requires covered entities to have written policies and procedures to address the risks relating to third parties who have access to an individual’s nonpublic information through services provided to the covered entity. These policies must address: (1) the third party’s policies on access to nonpublic information, (2) the encryption procedures a third party uses to protect access to the entity’s nonpublic information, (3) notice from a third party any time a breach or attempted breach of the covered entity’s nonpublic information occurs, and (4) representations and warranties by the third party about its security of the covered entity’s nonpublic information.
What This Means for Banks in the Midwest
Banks and financial institutions outside New York should take note of the new regulation. The NY Regulation exemplifies a shift toward more careful management and a proactive approach toward combating cyber security threats. “With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” DFS Superintendent Maria T. Vullo said. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”
Because of the increased reporting requirements, entities covered by the NY Regulation may increase scrutiny of third parties’ cyber security procedures and practices before entering into or renewing contracts. Thus, banks and other financial institutions should be proactive about increasing their own cyber security measures.
Finally, while New York was the first state to adopt heightened cyber security regulations, it will not be the last. In fact, Colorado has already followed suit, and new cyber security regulations became effective in July. Banks and financial institutions may find it in their best interest to stay ahead of the trend.