In September, New York Gov. Andrew Cuomo announced a new first-in-the-nation regulation had been proposed to protect New York State from the ever-growing threat of cyberattacks. The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York state’s financial services industry. The proposed regulation was published in the New York State Register on Sept. 28, 2016, and was subject to a 45-day notice and public comment period. During that time, several financial services industries, including the New York State Land Title Association and American Land Title Association submitted comments to the New York State Department of Financial Services suggesting modifications to the proposed regulations.
The regulation requires regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
Regulatory collaboration
Among other things, industry associations noted that there was a proliferation of cybersecurity regulations from multiple regulators at the state and federal level. The New York Bankers Association (NYBA) stated that its member institutions generally follow the Information Technology Examination Handbook from the Federal Financial Institutions Examination Council (FFIEC) and the Cybersecurity Framework from the National Institute of Standards and Technology.
“Several of the provisions of the proposal are in alignment with the principles outlined in the federal guidance, including the implementation of a cybersecurity program and the requirement to maintain a written cybersecurity policy,” the NYBA stated. “However, while in principle, the proposal follows the existent industry standards of the NIST and FFIEC and industry best practices for an effective cybersecurity program and policy, there are areas of the regulation that, without further clarification in language by DFS, could drive security controls beyond the NIST and FFIEC guidance, and beyond the intended goal of maintaining an effective risk management practice. Furthermore, because the NIST and FFIEC guidance would become mandates in New York, smaller community banks in the state will be forced to comply with prescriptive standards far above their risk level, leading to a misallocation of precious resources, and focusing compliance efforts on meeting the proposal’s mandates, rather than on actual and meaningful security measures. This could lead to an achievement of little or no gain to the security of such institutions, while leaving them at a competitive disadvantage.”
A letter signed by the American Land Title Association, Mortgage Bankers Association, American Bankers Association, Financial Services Roundtable, American Financial Services Association, New York Mortgage Bankers Association, Financial Services Sector Coordinating Council and the Securities Industry and Financial Markets Association echoed this concern.
“We re-affirm our belief that any final rule would be better served by careful coordination with existing cybersecurity regulations and requirements,” the associations stated. “In addition to NIST’s Cybersecurity Framework discussed above, FFIEC is vested with the power to develop uniform guidance and has separately promulgated the CAT to guide regulators and industry alike in maintaining comprehensive cybersecurity protections at financial firms. FFIEC also has developed comprehensive guidelines, such as the IT Examination Handbook, which consists of detailed guidance on cybersecurity protections. Regulations have also been issued in accordance with the GLBA. These regulations set uniform requirements for the entities regulated by the SEC, FDIC, Fed, OCC, and other agencies with respect to the development and maintenance of a comprehensive information security program. At the international level, G-7 nations developed and released a set of voluntary guidelines for the financial sector. And just last month, the OCC, Fed, and FDIC proposed enhanced cybersecurity requirements for large financial institutions and other firms.”
“The varying requirements in the federal and state regulations are costly for both businesses and consumers,” wrote Robert Treuber, executive vice president of NYSLTA. “Regulators at all levels should collaborate on cybersecurity regulations. We recommend that the federal definitions and/or standards be used in the proposed regulations where indicated.”
These definitions at issue include cybersecurity event and nonpublic information.
“The proposed regulation also includes within the definition of NPI business-related information which would cause a material adverse impact, if tampered with, to the business, operations or security of the ‘covered entity,’ ” Treuber wrote. “The GLBA does not include such information in their definition. If the department feels that it is imperative to protect business records in some fashion, we recommend that such records be broken out into a separate definition with different protections than for consumer-related information.”
Arguing that the definition of nonpublic information is too broad, the NYBA suggested the proposal track the state’s data breach law definition , which states “ ‘Private information’ shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) Social Security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; ‘Private information’ does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.”
Encryption
Industry associations were concerned about the requirements for information that must be encrypted.
“The proposal states that all nonpublic information held or transmitted by a covered entity shall be encrypted both in transit and at rest,” the NYBA stated. “It is indicated that an entity may utilize other protective controls approved by management in the event that encryption of at rest data is infeasible; however, this only provides a grace period of five years, after which time it is assumed the entity must enable encryption. This unwieldy requirement would be a huge and potentially devastating undertaking for smaller institutions, the expense for which does not correspond positively to the resulting lowering of risk. Effective regulation of nonpublic information should be flexible and tailored to the risks and needs of each institution.
“In addition, the use of the terms ‘in transit’ and ‘at rest’ could be susceptible to multiple interpretations and should be further defined to limit their applicability,” it wrote. “Because encryption of information at rest is generally not the current industry standard, certain third-party vendors utilized by smaller institutions may not be able to comply with the regulations as proposed.”
“Section 500.15 imposes encryption requirements for all nonpublic information held or transmitted by the firm both in transit and at rest,” said the associations. “This requirement does not consider the serious practical obstacles to encryption and that data is generally stored and transmitted in various capacities with varying degrees of risk. In many circumstances, the requirement would simply be unworkable. Implementation of this requirement for mainframe systems, commingled archives, legacy archives, and backup systems would require enormous resources and personnel time, not to mention technical expertise to keep systems running. Even if encryption could be implemented to the extent required, there would be enormous delays in data processing, and firms would be unable to satisfy timely requests for information. Further, requiring firms to encrypt all data thwarts firms’ agile adoption of new technologies that supersede encryption in terms of ability to protect systems and data. For example, some firms are investigating the use of tokenization as a method that may be better than encryption at protecting sensitive data. If firms invest heavily in encrypting all data, it would preclude them from moving to newer and better technologies as they are developed. The requirement to encrypt nearly all data at rest or in transit also may weaken other security controls by (a) blocking surveillance of such data to detect intruders and (b) requiring the broad distribution of encryption keys to allow applications to access such data, increasing vulnerability points through which the information could be hacked. Accordingly, we recommend that any final rule only require encryption based on a risk-based analysis to the extent technically feasible and in light of compensating controls, including but not limited to access controls, network segmentation, and physical controls.”
NYSLTA also voiced some concerns about encryption requirements.
“We request encryption of NPI only when the NPI is in transit; thus, requesting that the last sentence of this section be deleted from the regulation,” the association wrote. “The cost of encryption of NPI ‘at rest’ is excessive and overly burdensome. We store our sensitive customer information securely and only authorized employees have access in accordance with the American Land Title Association Best Practices guidelines. Thus, we believe there is no need to have such data encrypted. Further, we request encryption not be required when transmitting NPI to governmental entity’s sites such as ACRIS and PREP (County Clerk recording systems in the City of New York and Westchester County, respectively); both of which operate using https protocol.
“Further, we recommend the terms ‘data in transit’ be changed to, and defined as, ‘data in motion’ in accordance with terms used in federal standards and further that ‘data in motion/transit’ and ‘data at rest’ be defined as defined by the U.S. Department of Commerce, National Institute of Standards and Technology (NIST). The following definitions are used by NIST: data at rest-meaning it resides in file systems, distributed desktops and large centralized data stores, databases or other storage centers; Data in motion-meaning it moves through the network to the outside world via email, instant messaging, peer-to-peer (P2P) FTP or other communication mechanisms.”
Multi-factor authentication
There was also a concern about multi-factor authentication requirements in Section 500.12.
“Section 500.12 sets out requirements relating to the use of multi-factor authentication,” said the associations. “As drafted, this section would require use of multi-factor authentication with respect to virtually every information system and access to virtually all data stored by financial firms. Requiring multi-factor authentication to this extent would be onerous and may ultimately be self-defeating, likely resulting in the creation of ad hoc workarounds and noncompliance. Further, it may delay the ability to fulfill customer needs in the delivery of contracted services. We recommend that any final rule only require the use of multi-factor authentication based on a risk-based assessment by financial firms with respect to the types of information at issue, potential threats faced, and compensating controls. Firms should be able to apply different approaches that are consistent with their risk and to adopt new technologies and methodologies as they are developed.”
“The use of reasonable multi-factor authentication requirements is generally acceptable, however current federal guidance encourages multi-factor authentication for mobile financial services, but not for individuals accessing internal systems or servers,” NYBA said. “The proposal appears to require such authentication on nearly every platform for information utilized by the financial institution. The wording of the regulation does not differentiate between internal and external facing web-based applications, nor does it define ‘individual,’ which could include customers. A blanket control requirement that would include internal and external applications could be interpreted as a requirement for multi-factor authentication on all web applications across the enterprise. Ineffective risk management such as this drives prohibitive costs for security controls protecting low value assets, while resulting in limited or no value added for the organizations’ overall security posture. NYBA suggests that a risk-based selection of the levels for authentication controls should be at the discretion of the covered entity, based on their risk management framework while ensuring compliance to the industry and regulatory frameworks which are prescriptive in establishing the right level of control requirements.
“Furthermore, this particular provision could have an unintended and damaging consequence, as this is a provision that directly affects customers and, thus the competitiveness of a bank,” NYBA stated. “State chartered banks would be required to utilize such authentication, which could be cumbersome and time-consuming for customers, who would always have the option of finding another, nationally chartered bank to utilize instead. This could put state chartered banks at a disadvantage to their national counterparts. Instead, NYBA suggests that the language be made more flexible to require authentication that could then be administered as an institution sees fit, pursuant to its risk profile.”
Notification
Another thing that concerned the associations was the definition of cybersecurity event under the regulation. The term is defined as “any successful or unsuccessful attempt to gain unauthorized access to information stored on a covered entity’s information systems under Section 500.01(d).” NYBA said this definition is extremely broad and could have the unintended consequence of a deluge of information reporting that is of no or little use in finding actual substantive cyberattack data.
“NYBA urges that any reporting or other actions that need to be performed within a specific period should begin only when there is an actual awareness of a successful event by the entity obliged to act. This can be reflected in the proposal by either excluding unsuccessful attacks or adding a qualifier that it only applies to those attempts ‘of which a covered entity is aware that presented a material adverse impact.’ ”
The NYBA said that it had several concerns with the requirement that the DFS be notified whenever any actual or potential cyberevent occurs. It said this could drive extensive and inefficient reporting mechanisms.
“Furthermore, regulatory reporting that does not discriminate between successful or potential attacks, nor prescribes specific criteria such as criticality or business impact, could generate confusing, excessive and inefficient reporting. Finally, practically speaking, the number of reports that would come in to DFS would result in a deluge of information to DFS that would likely render itself unusable for regulatory and monitoring purposes. NYBA suggests that the proposal thus be revised to only require the reporting of confirmed cyberattacks on a covered entity resulting in the unauthorized access, theft or manipulation of nonpublic information.”
Treuber also requested that notification to the superintendent only be required after a successful cybersecurity event occurs or, alternatively, that covered entities be required to log attempts and send a summary with the annual certification. He said that because large insurance corporations may have hundreds of attempted cybersecurity events every day, reporting every attempt would be excessive and burdensome.
“To prevent such over-reporting to DFS, we request that any final rule require notification only where there is a substantial risk of material harm, rather than all events involving nonpublic information or every event that may ‘affect the operation’ of a firm,” the associations stated. “The final rule should be modified by adopting the proposed definition of cybersecurity event and requiring notification only where there is a substantial risk of material harm. Revising the rule in this manner would align with existing data breach notification requirements within 47 states, including New York, and with the federal interagency guidelines, which provide that in the event of unauthorized access or use of sensitive customer information, firms must notify the firm’s primary regulator, law enforcement, and (when warranted) customers.”
Impact on small business
Among all the industry associations, there was a concern that the proposed regulations would have a significant impact on small businesses.
“Additionally, we are concerned that the regulation as proposed is likely to become an undue administrative and financial burden on the many small agencies that comprise our industry, as well as the small business vendors that service it while the risk of cyberattack on our industry is minimal,” Treuber wrote. “For the small businesses that comprise our industry, and particularly for those independent title agents which cannot leverage the information technology resources of a parent company, good-faith compliance with these far-reaching and granular regulations will impose a significant financial burden, one which may compromise the independent title agent business model itself.
“Notwithstanding what is stated in the regulatory impact statement and the regulatory flexibility analysis for small businesses and local governments, title agents will incur significant costs and will need to engage professional technology servicers to comply with the requirements of the proposed regulation. It is entirely possible that the cost of complying with the regulation as written will cause such duress that many of our members will be forced out of business. Fewer marketplace choices for the consumer will inevitably lead to higher costs to the consumer, an undesirable result. The modifications to the proposed regulation we include in this comment letter will ensure a business community that is diverse, competitive and better for the consumer.”
The NYBA suggested a clarification to the definition of covered entity and a modification to the limited exemption under the proposal.
“Per the proposal, a ‘covered entity’ would be any ‘Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking law, insurance law, or financial services law, ’ ” it stated. “Under this definition, as it pertains to banks, the proposal could apply to a New York licensed entity that is a subsidiary or affiliate of a national bank or bank chartered in a state other than New York, over whom DFS has no regulatory authority. Requiring such entities to comply with the proposal would create unnecessary operational challenges by adding an additional and perhaps conflicting layer of regulation for entities that are already subject to federal cybersecurity standards, including extraterritorial supervisory jurisdiction with respect to foreign branch offices. For example, operating subsidiaries of national banks are already subject to OCC cybersecurity standards and related requirements. We recommend that there be an express exception from the definition of ‘covered entity’ for an entity that is a subsidiary or affiliate of a national bank or a bank chartered in a state other than New York.”
“Further, while we appreciate that there is a limited exemption provided in the proposal at Section 500.18 for small banks with fewer than 1,000 customers, less than $5 million in gross annual revenue, and less than $10 million in year-end total assets, this exemption will only apply to a very small amount of firms. Further, the exemption does not apply to all of the proposal’s mandates, and any exempt bank would still be subject to several of the most rigid requirements, such as third-party information security oversight and the cybersecurity notification requirements,” the NYBA continued. “Even with this limited exemption, the threshold demands of this requirement will be incredibly costly and overly burdensome, and will not necessarily result in more effective cybersecurity, given the risk profile of such institutions.”