In response to the growth of cyber-attacks faced by banks, insurance companies and other financial services providers, on Sept. 13, the New York Department of Financial Services issued proposed regulations requiring certain state entities to implement cybersecurity protections. Shortly thereafter, on Oct. 19, the Board of Governors of the Federal Reserve Systems, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation issued an advance notice of proposed rulemaking regarding enhanced cyber risk management standards for certain entities under their supervision.
Despite their shared goal of enhancing management of cybersecurity risks through regulatory guidelines, the ANPR standards and the DFS proposal have taken significantly different approaches, inviting the question of whether the prescriptive approach taken by the DFS proposed regulations or a more flexible guideline is the better mechanism by which to ensure protection of consumer information and the implementation of effective cyber risk management protocols.
What is apparent, however, is that the DFS proposed regulations and ANPR standards signal a shift to regulators formalizing technical best practices into legal requirements.
DFS Proposed Regulations: One Size Fits All
The DFS proposed regulations, slated to take effect in January 2017 (unless significantly altered by Superintendent Maria Vullo), cover all entities that are licensed, required to be licensed, or subject to other registration requirements under the New York banking, insurance or financial services laws. They exempt certain companies based on revenue, market share and asset size.
As drafted, the DFS Proposed Regulations are more expansive than many data breach laws and regulations currently in effect and have drawn criticism for being both vague as well as too stringent. For example, while the DFS proposed regulations apply to “nonpublic information” (NPI), NPI is so broadly defined that it’s become somewhat of a parlor game among industry insiders to identify what might be excluded.
ANPR Standards: Broad but Flexible
The principles outlined by the agencies in the ANPR standards contemplate the regulation of entities with consolidated assets of $50 billion or more, including subsidiaries of those entities, because of their “potential to act as points of cyber vulnerability to the covered entities,” and foreign banks with U.S. operations.
The ANPR standards may extend to nonbank financial entities under the supervision of the Federal Reserve pursuant to the Dodd-Frank Act. The agencies have invited comment on whether the standards should apply to third-party service providers. Unlike the more prescriptive DFS proposed regulations, the ANPR standards are principles and guidelines that will take concrete form after the 47-day comment period. The ANPR standards cover five topic areas: 1) cyber risk governance; 2) cyber risk management; 3) internal dependency management; 4) external dependency management; and 5) incident response, cyber resilience, and situational awareness.
Two Peas in a Cyber-Pod?
Both the DFS proposed regulations and the ANPR standards aim to protect consumer information by pushing covered companies to adopt robust mechanisms to guard against cybersecurity threat. Both would provide for:
- identification and assessment of activities that present cyber risk and the establishment of mechanisms for identifying, reporting, and responding to breaches or threats,
- greater senior management and/or board responsibility, oversight, and independence with respect to cyber risk,
- assessments by business units of cyber risks associated with their activities and connection point,
- audits to determine vulnerability and penetration points,
- management of third-party vendors or external data management services that may pose a risk, including establishing due diligence policies, and
- creation of effective incident response plans and plans to identify and mitigate cyber risks.
If these measures sound familiar, it is because both proposals enhance existing cybersecurity guidelines.
Fault Lines Between the Proposals
The primary difference between the DFS proposed regulations and the ANPR standards lies in their potential flexibility. While the ANPR Standards are subject to comment and development and may eventually allow covered entities to tailor their risk management plans, the DFS proposed regulations are more rigid in their requirements.
For example, while both proposals address incidence response plans, only the DFS regulations require regular disclosures to regulators about cyber events. Similarly, the ANPR standards do not discuss user authentication or access controls, while the DFS proposed regulations are granular in their treatment of multifactor authentication. Although a prescriptive approach may seem desirable because it provides clear directives, many in the financial industry have noted that the diverse range of the covered entities means that it is undesirable, if not impractical, to require a uniform approach to cybersecurity risk.
Of course, this is not to suggest that the ANPR standards do not have the potential to develop prescriptive characteristics. For example, the ANPR standards contemplate an intricate management relationship between covered entities and third-party service providers, where the entity must not only assess the cyber risks that third-parties pose to a covered entity, but also the risks that a covered entity’s own systems pose to third parties. The DFS Proposed Regulations, on the other hand, do not envision managing these relationships as part of a unified structure.
Additionally, the ANPR standards cover issues not addressed by the DFS proposed regulations, such as the creation of an independent risk management function that reports directly to the board and encourages sector critical analysis to improve the performance of systems critical to the financial sector. Nonetheless, as the ANPR standards have yet to be fully fleshed out, covered entities still have several opportunities to shape the final regulation. Since the notice and comment period has passed on the DFS proposed regulations, the financial services community awaits the final revisions, if any, to them.
Harbinger for the Future?
Ultimately, the recent steps by the agencies and the DFS reflect a continued focus on managing cyber risk which is likely to have a direct impact on the financial and insurance industries. These institutions should consider putting in place a legal team to ensure compliance with the DFS proposed regulations and submitting comments as part of the ANPR standards implementation process.
As regulators tend to take cues from each other in this space, the ANPR standards and the DFS proposed regulations may be a harbinger of the future. One certain effect of the DFS proposed regulations and ANPR standards is the hardening of technical best practices into legal requirements.
James J. Pastore is a litigation partner at Debevoise & Plimpton and a member of the firm’s Cybersecurity & Data Privacy practice and Intellectual Property Litigation Group. His practice focuses on privacy and cybersecurity issues.