• What European Financial Institutions Need to Know About New York’s Cybersecurity Regulations
  • August 2, 2017 | Author: Alexander F. L. Sand
  • Law Firm: Eversheds Sutherland (US) LLP - New York Office
  • What is it?

    From 28 August 2017, banks, insurers, and other financial institutions operating in New York will be required to comply with the New York Department of Financial Services (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “Regulations”). Finalized on March 1, 2017, firms had 180 days from the effective date to comply with the core requirements of the Regulations, while being allowed additional time to comply with others.

    Who does it apply to?

    The Regulations require NYDFS regulated banks, insurers, brokers, and other financial services firms (“Covered Entities”) to conduct cybersecurity risk assessments and meet a number of standards and requirements for governance and operation of a comprehensive cybersecurity program.

    While investment funds and asset managers are not directly covered by the Regulations, they may still qualify as a Covered Entity if they maintain a banking or insurance authorization from NYDFS.

    Do the NY Regs extend to Foreign Banks?

    The Regulations do not cover just firms headquartered in New York. They also apply to individuals and entities that are not domiciled in New York, but are operating under a New York license, registration, charter or similar authorization - this inevitably extends to international banks that maintain a branch or representative office in New York.

    What are the Key Requirements of the NY Regs?

    Key provisions of the Regulations coming into force on August 28th include requirements to:

    • implement a cybersecurity program aimed at protection, detection, response and recovery;
    • implement and maintain written cybersecurity policies and procedures that address 14 specified areas and are approved by the board or a senior officer;
    • designate a Chief Information Security Officer (“CISO”);
    • limit access privileges to information systems that provide access to non-public information and implement a process for periodically reviewing these access privileges;
    • employ qualified cybersecurity personnel and provide them with cybersecurity updates and training;
    • establish a detailed, written cyber-incident response plan; and
    • provide notice to the DFS in the event of a material cybersecurity incident.

    Additional requirements (including the management of third party service providers and the submission deadline for filing attestations of compliance) come into force over the course of 2017, 2018 and 2019.

    Are there any exemptions?

    The Regulations provide exemptions for small firms (e.g. those with fewer than 10 employees, less than $5,000,000 USD in gross annual revenue or less than $10,000,000 USD in total group assets). However those firms are still required to meet requirements for a cybersecurity program, policies and procedures, access controls, and several other forthcoming requirements.

    What does this mean for International Banks?

    For UK, European or International banks and financial institutions, the Regulation are most likely to apply to firms with a branch or representative office in New York. Since many such branches and offices are operated by a parent or holding company incorporated outside of the US, the financial institutions themselves may qualify as a “Covered Entity” under the Regulations. However, the NYDFS has provided guidance that it will not extend its reach beyond the NY branch or representative office.

    In Summary...

    International banks and financial institutions operating in New York City will have to design, implement and maintain cyber-defence systems, controls and organizational structures for their NY branches and representative offices sufficient to satisfy not only their home regulator but also the NYDFS.

    We expect this trend to continue as national and supra-national regulators in other key financial markets (the EU, Singapore, Hong Kong, China) move to impose increasingly prescriptive requirements on the financial sector to control and combat the risk of cyber-attacks.