On September 13, 2016, New York Governor Andrew M. Cuomo announced Cybersecurity Requirements for Financial Services Companies (Cybersecurity Requirements), the “first-in-the-nation regulation proposed to protect New York State from the ever-growing threat of cyber-attacks. The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services [NYDFS] to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.” By its terms, this regulation applies to virtual currency companies operating within New York. These companies are already heavily regulated in New York, as they are required to maintain a BitLicense issued by the NYDFS in order to operate within the state.
The NYDFS asserts that this new measure will protect customer and business information by requiring businesses to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” It requires financial services companies to designate a chief information security officer; employ specific procedures for penetration testing, risk assessment, and vulnerability; and adopt cybersecurity measures that perform the following functions:
- Identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the Covered Entity’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed;
- Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
- Detect Cybersecurity Events;
- Respond to identified or detected Cybersecurity Events to mitigate any negative effects;
- Recover from Cybersecurity Events and restore normal operations and services; and
- Fulfill all regulatory reporting obligations.
An important and unique feature of the Cybersecurity Requirements is the audit trail provision that requires businesses to track and maintain:
- Data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event;
- Data logging of all privileged Authorized User access to critical systems;
- The integrity of data stored and maintained as part of any audit trail from alteration or tampering;
- The integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction;
- Log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and
- Records produced as part of the audit trail for not fewer than six years.
These audit procedures can reveal cybercrimes committed externally as well as those committed internally by management or employees as a result of their intentional or negligent acts.
This regulation will likely be controversial, as some in the virtual currency industry have repeatedly expressed their concerns about the significant financial strain and burden of New York’s BitLicense requirement, which has already caused virtual currency companies to look elsewhere to pursue their businesses. While the new Cybersecurity Requirements are burdensome, they provide much needed consumer and information technology protection at a time when all entities, from the U.S. federal government to small businesses, are at risk for cybercrime. Although virtual currency companies will face financial and infrastructure burdens to comply with these requirements if they want to operate in New York, the regulation should create long term cost-savings, increased consumer confidence, and enhanced security. Additionally, to minimize the burden on smaller companies, the Cybersecurity Requirements provide for a limited exception for those companies who have fewer than 1,000 customers, less than $5,000,000 in gross annual revenue, and less than $10,000,000 in year-end total assets in each of the last three calendar years.
New York’s Cybersecurity Requirements are “subject to a 45-day notice and public comment period following the September 28, 2016 publication in the New York State register before its final issuance.” If implemented, these Cybersecurity Requirements will be effective on January 1, 2017, and regulated entities will have to submit an annual report beginning in January 2018.