As this election cycle and recent corporate and law firm cyberattacks have made clear, cybercriminals are becoming an ever-growing threat to businesses and law firms. As companies grapple with how to best address hackers and protect themselves from future cyberattacks, New York has proposed a set of cybersecurity regulations for banks and financial institutions that, if passed, would become the first-ever set of state cybersecurity standards applicable to a particular industry. Because the proposed regulations would place a number of requirements on financial services firms ranging from drafting and publishing cybersecurity policies to hiring a cybersecurity information officer, this law would lead to significant consequences for both banks and lawyers.
What New York’s proposed regulations entail
The main goal of New York’s proposed regulations, 23 NYCRR 500, is to set forth a number of requirements that banks and other financial service providers would need to follow to protect customer data. The regulations would require banks and other financial service providers to do the following:
- Establish a cybersecurity program that identifies cyber risks and sets out a plan of attack to deal with unauthorized access, unauthorized use, or malicious acts against corporate servers.
- Adopt and publish a written cybersecurity policy that should, at a minimum, address the following 12 topics: (1) information security, (2) data governance and classification, (3) access controls and identity management, (4) business continuity and disaster recovery planning and resources, (5) capacity and performance planning, (6) system operations & availability concerns, (7) systems and network security, (8) incident response, (9) risk assessment, (10) vendor and third-part service provider management, (11) customer data privacy, and (12) physical security & environmental controls.
- Appoint a chief information security officer (CISO) who oversees and implements both the company’s cybersecurity program and policies, and submits a biannual report to the bank or financial service provider’s board that details present and possible cybersecurity risks and proposes ways to address and fix these risks.
- Conduct annual penetration and quarterly systems vulnerability testing to ensure that corporate servers are immune to possible cyberattacks.
- Implement systems that maintain records of user activity and transactions—which the regulations refer to as “audit trail systems”—so that banks and other financial service providers can adequately address unusual user activity on the company’s servers.
- Create a written policy regarding secure development practices for in-house applications used by employees of a bank or financial institution.
- Hire specialized cybersecurity personnel to implement the company’s cybersecurity program and policies.
- Hold cybersecurity awareness and training sessions for employees.
- Implement proactive procedures and programs that monitor risks posed by third-party businesses and service providers who do business with banks and financial service providers.
- Issue reports to the Superintendent of the New York State Department of Financial Services about any and all attempted cyberattacks on the bank or financial service provider’s IT systems.
- Implement multi-factor authentication for user accounts.
The regulations would also require banks and financial service providers to encrypt nonpublic information about authorized users and create an incident response plan that addresses how the company will address cyberattacks as they happen. If passed, the New York State Department of Financial Services will start enforcing these regulations on January 1, 2017, and banks and financial providers would need to start submitting certifications of compliance to the NYSDFS superintendent by January 15, 2018.
What New York’s proposed regulations mean for attorneys and their clients
While the NYSDFS’s proposed regulations are supposed to curb cyberattacks, they will also result in significant financial and legal burdens to not only some classes of banks and financial institutions, but also to law firms that work with these institutions as outside counsel.
For one, although bigger banks and financial institutions fall under the purview of the regulations, the regulations also apply to any individual, partnership, corporation, association, or other entity that either operates or would need to operate under a license, charter, or other authorization under New York’s banking, insurance, or financial services laws [§ 500.01 (c), (h)].
While bigger banks and financial institutions could likely afford to implement many of the NYSDFS’s requirements, community banks and smaller investment advisers likely do not have the financial luxury to adopt and implement many of these rules, particularly when it comes to hiring a dedicated chief information security officer, retaining and training cybersecurity specialists, implementing multi-factor authentication software and regularly testing corporate IT servers. These institutions are already required to comply with a myriad of federal and industry-wide cybersecurity regulations.
Lawyers working with banks and financial services institutions, particularly the smaller ones, would therefore need to advise their clients appropriately on how to best comply with these state regulations and preexisting regulations in a manner that is cost-effective.
Law firms may be forced to meet cybersecurity standards
In addition, the regulations pertaining to monitoring third-party vulnerabilities could also force outside counsel representing banks and financial institutions to attain identical or near-identical cybersecurity standards, and to also vet the vendors with whom they work. This is because § 500.11 of the regulations requires banks and financial institutions to not only set minimum cybersecurity practices and standards that third-party businesses and service providers would need to meet in order to do business with them, but also require them to diligently monitor the adequacy of third-party cybersecurity practices and periodically assess a third party’s system vulnerabilities [§ 500.11 (a)(1-4)]. The regulations also force banks and third parties to agree to contract provisions regarding using multi-factor authentication; encrypting private consumer information; implementing identity protection services for bank clients affected by cyberattacks on third parties; representations and warranties stating that services or products provided to banks are free from viruses and other system vulnerabilities; and giving banks the right to perform cybersecurity audits on third party systems [§ 500.11 (b)(1-6)].
Since law firms would fall within the definition of a third party or third-party service provider that does business with a bank or financial service provider, these regulations would not only require law firms to also apply heightened cybersecurity standards in order to keep banks and financial service providers as clients, but also possibly hold them liable to bank customers materially impacted by a law firm data breach. While heightening cybersecurity standards for law firms may be beneficial on ethical grounds, they could result in increased administrative costs and overhead for law firms whose preexisting cybersecurity protections aren’t at the heightened level required to conduct business with New York banks.
In the end, New York’s proposed cybersecurity regulations for the financial services industry could impact how law firms advise banking clients and structure their cybersecurity policies and IT systems. These regulations also could also impact other practice areas if New York and other states adopt similar cybersecurity regulations for other industries. The proposed regulations are not final and are currently subject to a notice-and-comment period. Lawyers in New York and elsewhere should take note.
This post was authored by Eric Pesale, a soon-to-be attorney who recently graduated from the New York Law School. Eric contributes regularly to the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at firstname.lastname@example.org or on Twitter at @ericpesale.