On February 16, 2017, the New York Department of Financial Services (NYDFS) published a final rule (the “Rule”) imposing new cybersecurity requirements on covered financial institutions. The Rule takes effect on March 1, 2017; however, covered institutions will have 180 days to come into compliance with most requirements, with longer transition periods of 1-2 years for certain obligations. The Rule requires covered entities to certify annually that they are in compliance with its requirements, with the first certification due on February 15, 2018. NYDFS revised its prior drafts of the Rule based on two rounds of public comment.

The Rule is notable for its potentially broad reach.  Specifically, the Rule defines a “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s Banking Law, Insurance Law, or Financial Services Law. (Sec. 500.01(c)).  While the Rule contains exemptions based on, for example, number of employees (fewer than 10); gross annual revenue (less than $5 million in each of the last three fiscal years from New York business operations of the Covered Entity and any affiliates); and year-end total assets (less than $10 million, including assets of all affiliates), it nevertheless potentially draws a broad range of banks, insurance companies, and other financial services providers within its reach. (Sec. 500.19).

The Rule requires Covered Entities to establish and maintain a risk-based cybersecurity program that is “designed to protect the confidentiality, integrity and availability” of its information systems, as well as any “nonpublic information” stored on such systems. (Sec. 500.02). It likewise requires Covered Entities to prepare written policies, and to designate a Chief Information Security Officer (CISO). (Secs. 500.03 and 500.04). Among the other requirements the Rule imposes are:

  • Either “effective continuous monitoring” of the Covered Entity’s information system or annual penetration testing and bi-annual vulnerability assessments, consistent with the Entity’s level of risk. (Sec. 500.05)
  • Systems that are designed to reconstruct material financial transactions sufficient to support normal obligations of the Entity and that include audit trails designed to detect and respond to cybersecurity events. (Sec. 500.06)
  • Development of third-party service provider security policies that set forth minimum cybersecurity practices required to be met by third parties providing services to the Covered Entity. (Sec. 500.11)
  • The use of multi-factor authentication, consistent with the Entity’s risk assessment, in order to prevent unauthorized access to nonpublic information or information systems. (Sec. 500.12)
  • The use of encryption, consistent with the Entity’s risk assessment, in order to protect nonpublic information held or transmitted by the Entity “both in transit over external networks and at rest.” (Sec. 500.15)
  • A requirement to provide the NYDFS Superintendent with notice within 72 hours from a determination that a qualifying cybersecurity event has occurred. (Sec. 500.17(a))
  • An annual reporting requirement to the NYDFS Superintendent certifying compliance with the Rule and setting forth any identified areas, systems, or processes requiring material improvement, updating, or redesign, and documenting any remedial efforts planned or underway to address these.  Entities also must retain for inspection all records, schedules, and data supporting the certification, for period of five years. (Sec. 500.17(b))

The Rule is the first known effort by a state regulatory agency to impose mandatory cybersecurity requirements on a class of businesses, and in that way it represents a break from prior efforts that have focused more on voluntary standards.  New York’s experience with the implementation of the Rule may inform similar efforts by other state regulators in the future.

Institutions that are already subject to other obligatory cybersecurity standards for the financial industry, such as those imposed under the Gramm-Leach Bliley Act (GLBA), or by the Financial Industry Regulatory Authority (FINRA) or the Securities and Exchange Commission’s Office of Compliance, Inspections and Examinations (SEC OCIE), may find that they already have addressed many of the steps required by the new Rule.  However, they still will have to assess for any overlaps and gaps with the requirements of the new Rule as they build compliance programs. The Rule’s impact is likely to be most prominently felt by financial services companies that are not already subject to federal cybersecurity standards, to the extent they have not already established cybersecurity programs that are largely compliant.

It is also unclear how the Rule—and others like it that may appear in the future—will interact with voluntary standards aimed at critical infrastructure more generally, such as the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF). While the Rule addresses many of the same considerations as other pre-existing standards, it delves deeper into the specifics. For example, multi-factor authentication and encryption at rest are tools that industry can use to meet standards such as the GLBA and NIST CSF, but neither is specifically required. Given the increasing interrelationship between state and federal obligations, as well as both cybersecurity and anti-money laundering (AML) regulations, it is important for affected firms to adopt a coordinated approach with an integrated team of legal professionals. Crowell and Moring’s Privacy and Cybersecurity and AML practices are happy to provide further guidance in each of these areas.

On October 25, 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a new Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime as well as a related list of Frequently Asked Questions (FAQs).

The Advisory provides guidance to financial institutions on FinCEN’s expectations with regard to: (1) reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); (2) including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; (3) collaboration within regulated institutions between Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) units and in-house cyber-security units to identify suspicious activity; and (4) sharing cyber-related information among financial institutions under existing safe harbor mechanisms used to identify and report potential terrorist activities and money laundering.

The Advisory is characterized as interpretive guidance that does not change existing BSA requirements or impose additional regulatory obligations on financial institutions. However, some of the expectations in the guidance are likely to be new to most financial institutions, and have the potential to increase SAR reporting burdens substantially, both by expanding the types of events that must be reported as SARs and by expanding the types of information that must be gathered and included in all SARs.

The financial institutions affected by the Advisory and FAQs include not only banks but also casinos; money services businesses; broker-dealers; mutual funds; insurance companies offering particular types of insurance; futures commission merchants; introducing brokers in commodities; non-bank residential mortgage lenders or originators; and housing-related government-sponsored enterprises like Fannie Mae and Freddie Mac.

Definitions

FinCEN uses the following definitions in the Advisory:

  • Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
  • Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, or identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
  • Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, Indicators of Compromise (IOCs), and device identifiers. Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.

Mandatory Reporting of Cyber Events

Under the BSA, financial institutions must report any transaction conducted or attempted by, at, or through the institution that involves an aggregate of $5,000 or more in funds or other assets (or $2,000 for money services businesses) and which the institution knows, suspects, or has reason to suspect: (1) involves funds derived from illegal activities or is intended or conducted to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation; (2) is designed to evade any reporting or other requirements under the Bank Secrecy Act; (3) has no business or apparent lawful purpose, or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves the use of the institution to facilitate criminal activity. In addition to the required reporting above, a financial institution may file a SAR voluntarily on any “suspicious transaction that it believes is relevant to a potential violation of any law or regulation.”

FinCEN’s new Advisory instructs that a financial institution should file a SAR if it “knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions.” FinCEN recognizes that this standard may require the filing of SARs even in circumstances where no actual financial transactions ultimately occur or are attempted in connection with the cyber-event. For purposes of determining whether the $5,000 threshold for reporting is triggered, the Advisory instructs financial institutions to “consider in aggregate the funds and assets involved in or put at risk by the cyber-event.” This includes, for example, the amount of funds present in accounts potentially affected by a cyber-event, as well as amounts that may become available to cyber criminals as a result of data theft (e.g., credit card numbers).

The Advisory provides specific examples of situations that require reporting under this standard, including a malware intrusion that a bank determines to have put $500,000 of customer funds at risk, as well as a cyber-event that exposes sensitive customer information such as account numbers, credit card numbers, and passwords that might be useful to conduct, affect, or facilitate transactions aggregating to at least $5,000. In both examples, the Advisory counsels that a financial institution must file a SAR, reasoning that although “no actual transactions may have occurred,” the circumstances “could reasonably lead the financial institutions to suspect the events were intended to be part of an attempt to conduct, facilitate, or affect” an unauthorized transaction or series of transactions aggregating to at least $5,000 in funds or assets. In addition, the FAQs accompanying the Advisory explain that reporting is required regardless of whether the cyber-event at issue is considered to have been “successful,” so long as there is reason to believe that the cyber-event was intended to or could affect a transaction or series of transactions conducted or attempted by, at, or through the financial institution that exceed the reporting threshold. In the same vein, FinCEN provides a third example of mandatory reporting where a distributed denial of service (DDoS) attack on a money services business is reportable because it is determined to have been likely conducted as distraction to prevent cyber-security or other personnel from detecting and stopping an unauthorized transaction through the institution.

Anticipating that many financial institutions may see large numbers of cyber events, FinCEN provides in the FAQs that financial institutions may report multiple cyber-events in a single SAR when these are too numerous to be reported individually and (1) are similar in nature and share common identifiers; and (2) are believed to be related, connected, or part of a larger scheme. At the same time, the FAQs make clear that a financial institution is not required to file a SAR “each time an institution’s system or network is scanned or probed,” given that such reporting would be impractical and could detract from other efforts to guard against cyber threats, though they note that financial institutions may include such information about the scanning and probing of their systems and networks when filing a SAR on an otherwise reportable cyber-event.

According to the Advisory and FAQs, SARs relating to cyber-events should include the following:

  • Description and magnitude of the event
  • Source and destination information, including:
    • IP address and port information with respective date timestamps in UTC
    • Attack vectors
    • Command-and-control nodes
  • File information, including:
    • Suspected malware filenames
    • MD5, SHA-1, or SHA-256 hash
    • E-mail content
  • Subject user names, including:
    • E-mail addresses
    • Social media account/screen names
  • System modifications, including:
    • Registry modifications
    • Indicators of Compromise
    • Common vulnerabilities and exposures (CVEs)
  • Involved account information, including:
    • Affected account information
    • Involved virtual currency accounts
  • Known or suspected time, location, and characteristics or signatures of the event
  • Other relevant IP addresses and their timestamps
  • Device identifiers
  • Methodologies used
  • Other information the institution believes is relevant

The existing SAR reporting form already contains fields for some types of cyber-related information, such as IP addresses, website/URL addresses, and e-mail addresses. FinCEN suggests that other cyber-related information should be put into the narrative fields of SARs, and also may be supplemented by attachments in a tabular format, for example in a comma separated value (CSV) file.

Separately, FinCEN notes that, even where reporting of a cyber-event is not mandatory under BSA regulations, other laws may require reporting of these events, and financial institutions remain subject to any other such obligations. In particular, the federal banking agencies have their own requirements for the reporting of cyber-events, and these are cross-referenced in the Advisory.

Voluntary Reporting of Cyber Events

The Advisory also encourages, though it does not require, financial institutions to report “egregious, significant, or damaging cyber-events and cyber-enabled crime” regardless of whether such events ordinarily would require the filing of a SAR. To illustrate, the Advisory provides the example of a DDoS attack on a financial institution’s website that results in a disruption of service for customers for a significant period of time but does not involve any related transactions or compromise of customer data. Although such an attack in isolation may not reasonably trigger SAR reporting requirements if no customer funds or assets were placed at risk, FinCEN notes that reporting of such cyber-events is nevertheless “highly valuable in law enforcement investigations.”

Including Cyber-Related Information in SARs

The Advisory also explains FinCEN’s expectation that financial institutions will include cyber-related information (including the data fields identified for cyber-event reporting above), whenever it is available, for any SAR, regardless of whether or not the SAR relates to a cyber-event. This has the potential to substantially increase the amount of information that must be reported in the thousands of SARs that financial institutions now file on an annual basis, and seems likely to require compliance personnel to understand how to identify the availability and relevance of such information for inclusion in SAR reporting, or to have access to other financial institution personnel who will. FinCEN reasons that providing such information is part of a financial institution’s obligation to provide complete and accurate reporting when filing a SAR.

Collaboration In-House Between BSA/Anti-Money Laundering (AML) Units and Cyber-security Personnel

Accordingly, while the FAQs explain that a financial institution’s BSA/AML personnel are not specifically required to be knowledgeable about cyber-security and cyber-events, FinCEN notes that collaboration with cyber-security, anti-fraud, and other knowledgeable personnel within a financial institution may assist AML compliance units in detecting cyber events and other suspicious activity that must be reported and in identifying relevant cyber-related information that must be included in SARs. FinCEN also specifically encourages financial institutions to incorporate cyber-related information into their AML monitoring efforts and to use cyber-related information to improve their AML risk assessments. Conversely, FinCEN suggests that cyber-security personnel will be able to use information provided by BSA/AML units to improve their ability to guard against cyber-events and cyber-related crime.

Sharing Cyber-Related Information Externally Among Financial Institutions

Finally, the Advisory encourages financial institutions to make use of Section 314(b) of the USA PATRIOT Act and its implementing regulations, which allow financial institutions to register with FinCEN and then to share information with other registered institutions for the purpose of identifying and reporting activities that may involve money laundering or terrorist activity, as a means for increased sharing of cyber-related information. The Advisory explains that information such as specific malware signatures, IP addresses and device identifiers, and seemingly anonymous virtual currency addresses “can help identify the individuals, entities, organizations, or countries involved or responsible for [a] cyber-event or cyber-enabled crime linked to money laundering or terrorist activities.”

Practical Considerations

FinCEN’s guidance is effective immediately. Banks and other affected financial institutions should begin now to consider what personnel, technology, and methodology they will use to: (1) identify cyber-events and assess when these require reporting under the new guidance, recognizing that, unlike traditional SARs, cyber-events may require reporting even where no financial transaction is ever conducted, and even where an attempted intrusion is unsuccessful; (2) identify cyber-related information that must be reported when filing any SAR, whether it relates to a cyber-event or not; and (3) incorporate cyber-event and cyber-related information into AML risk assessments for the institution and into AML transaction monitoring and resolution. Given that many financial institutions experience thousands of attempts each day to improperly access their information, the first of these items may be especially resource-intensive. All of these likely will require close collaboration with and reliance on financial institution cyber-security personnel, and perhaps new technology. Because most banks already are required to report intrusions and cyber-crime by their prudential banking regulators, the burden of the new guidance will fall most heavily on non-bank financial institutions subject to SAR reporting requirements. Affected financial institutions also should be aware of the other cyber reporting obligations they may have apart from those required under the BSA (some of which are mentioned in the Advisory), and seek to take advantage of any efficiencies from combining reporting processes. Finally, although financial institutions should seek opportunities to make use of 314(b) to share cyber-related information, it is worth remembering, as FinCEN notes more than once, that the safe harbor for information sharing under the regulations implementing Section 314(b) is limited to the sharing of information for the purpose of identifying and reporting activities that may involve money laundering or terrorist activity. Similarly, the financial institution that receives the information may use it only for such purposes.