New York State’s powerful financial regulator, the Department of Financial Services (DFS), has recently grabbed the cybersecurity spotlight by issuing a first-in-the-nation cybersecurity regulation, which went into effect on 1 March 2017.
The regulation is a game changer for directors with responsibility over any financial institutions (including banks, trusts and insurance companies, referred to here as covered entities) that are required to operate under a licence, registration, or similar authorisation under New York’s Banking Law, Insurance Law or Financial Services Law. Although the regulation does not directly apply to national banks and federal branches of foreign banks, it does apply for example to New York-licensed lenders and branches of foreign banks. Because it applies regardless of where the institution is domiciled, the regulation’s impact is being felt around the world. It is groundbreaking in several respects.
First, it is a mandatory regulation, as opposed to ‘guidance’, that requires covered entities to establish a cybersecurity programme designed to protect the confidentiality, integrity and availability of the institution’s information systems and nonpublic information. Although the DFS does not spell out specific fines or penalties associated with violations, the regulation provides that it will be enforced pursuant to DFS authority ‘under any applicable laws’.
Second, the regulation is comprehensive in scope, covering security risks throughout the entire information lifecycle. It mandates the implementation of a cybersecurity programme that is supported by policy and based on a risk assessment. To the extent they apply to the institution’s operations, the cybersecurity policy must address the following areas:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster
- Recovery planning and Resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
But perhaps the most extraordinary aspect of the regulation is that it places responsibility for cybersecurity squarely on the board of directors and senior management of the covered entity, effectively requiring boards to engage in active and informed oversight of the entity’s overall cybersecurity.
Board and senior officer mandates
The regulation contains a number of specific obligations, highlighted below, that may directly apply to the covered entity’s corporate directors. Those requirements mandate board oversight of cybersecurity and prescribe reporting systems from management directly to the board.
- Under the regulation, each covered entity must implement and maintain a comprehensive written cybersecurity policy that is ‘approved by a senior officer or the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body’.
- The regulation also requires each covered entity to designate a qualified individual, such as a chief information security officer (CISO), to be responsible for overseeing and implementing the institution’s cybersecurity programme and enforcing its policy. The CISO, in turn, must provide a written report, at least annually, to the board of directors, covering the entity’s cybersecurity programme and material cybersecurity risks.
- The CISO’s written report to the board must be based on considerations, as applicable, of (i) the confidentiality of the institution’s sensitive information (which goes beyond personal data to include business-related information the tampering with which or unauthorised disclosure, access or use of which, would cause a material adverse impact on the institution’s business, operations, or security); (ii) the integrity and availability of systems; (iii) the entity’s policies and procedures; (iv) its material cybersecurity risks; (v) overall cybersecurity effectiveness (which is quite difficult, if not impossible, to measure) and (vi) material cybersecurity events during the reporting period.
- Perhaps the most groundbreaking part of the regulation is the requirement for a written certification of compliance, signed either by the chairperson of the board of directors or a senior officer. Whoever puts their name on that document is expected to certify to the best of their knowledge either that the entire board of directors, or one or more specifically named senior officers ‘reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary’ to comply with the regulation.
- The institution also must document the identification and remedial efforts planned or underway to address, any ‘areas, systems or processes that require material improvement, updating or redesign’.
Director duties to oversee cybersecurity
Corporate directors are charged with the responsibility to monitor and oversee corporate risk, to include material data privacy and cybersecurity risks. That responsibility is based on the duties of care and loyalty owed by directors to the corporation.
With respect to care, the prevailing view is that a lack of good faith is a necessary condition to liability. Under Delaware law, ‘a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards’.
When it comes to the duty of loyalty and a director’s failure to monitor and oversee corporate risk, the threshold for liability is high and can be imputed to individual board members only where: ‘(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention’.
It is hard to imagine a common situation where the first prong of this test would be met. The second prong is likely to be tested soon, however, following a cyber breach of a covered entity that has certified compliance with the regulation. To be sure, the mere fact of a breach is not sufficient to suggest, no less find, director liability. But, it is certain to lead to questions about board engagement. Shareholders and regulators are always on the hunt for ‘red flags’, those facts, for example, that might show the board was aware that internal cybersecurity controls were inadequate, that these inadequacies would result in material harm to the institution and that the board chose to do nothing about the problems it knew existed.
Faced with the changing nature of cybersecurity risk, directors also might consider the views of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), which recommends that a board focus, at least annually, on ‘changes in the critical assumptions and inherent risks underlying the organisation’s strategy’. For many organisations, these assumptions and risks change frequently, based on the increasing quantity and quality of the data the institution acquires, retains and transfers, the rapidity of technology innovation and adoption, outsourcing demands and a constant barrage of existing, emerging and escalating criminal and nation-state threat actors.
The top 12 questions every board should ask about the regulation
Clearly, boards will need to consider what actions are necessary to ensure that a reasonable reporting system exists when it comes to complying with New York’s no-nonsense cyber mandate. The following are some suggested areas of inquiry that directors can use to help improve their organisation’s performance while spotting and addressing red flags:
1. Is the institution’s general counsel informed of and involved with, compliance efforts for the regulation?
2. Has the institution designated a qualified individual (such as a CISO) to oversee and implement the institution’s cybersecurity programme and enforce its policies?
3. Does the institution have a roadmap for implementing each of the 17 substantive sections of the regulation and does it take into account their varying due dates, how much lead time is anticipated for their completion, the resources that will be required to do so and how it will measure success?
4. Does the institution use industry-recognised guidance, frameworks, or best practices to address each of the 14 cybersecurity policy areas outlined in the regulation?
5. Has the institution determined who will sign the annual certification of compliance and is that person qualified to do so? Is the chairperson of the board expected to sign it?
6. How is the institution maintaining the records, schedules and data to support the annual certification which, by regulation, must be maintained for a period of five years?
7. What does the institution view as its most significant internal and external risks to the security or integrity of its data and systems?
8. Is there a written risk assessment, made available to the board, assessing the adequacy of existing controls in the context of identified risks? What are the gaps?
9. What are the institution’s requirements for either mitigating or accepting identified cybersecurity risks and are they consistent with the institution’s risk profile and regulatory requirements? (When it comes to risk acceptance, directors should be aware that NYDFS has stated ‘the risk assessment is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks’.)
10. How is the institution identifying and documenting (in a manner that can be made available to DFS) the remedial efforts that are planned and underway to address areas, systems or processes that require material improvement, updating, or redesign?
11. How is the institution addressing the regulation’s requirement that it encrypt non-public information while it is in transit over external networks and while it is at rest, unless it is ‘infeasible’ to do so? To the extent encryption is not being used, how was infeasibility determined and has the CISO reviewed and approved effective, alternative compensating controls?
12. When and how does the board get notified of cybersecurity events that are reported to DFS?
The DFS regulation makes clear that cybersecurity is, without doubt, a board issue. The outlined questions are offered merely as a starting point for directors to use when considering their entity’s cybersecurity posture and its compliance with the regulation. One or more directors should have the responsibility and capability to drill down into each of these areas, ensuring that they have a full understanding of the entity’s cybersecurity risk profile and the reasons behind the steps being taken – and not taken – to protect the institution’s information systems and non-public information. Boards that cannot accomplish this, based on their existing composition, should consider retaining independent cybersecurity advisors and counsel to assist with their review and provide objective advice concerning cybersecurity compliance.
Active, engaged and informed oversight by the board on a continual basis is crucial to protect an entity and its board members from cybersecurity threats and liabilities and to ensure compliance with the regulation.
Co-authored by Steven Chabinsky