Boards of directors at financial institutions would have to step up their oversight of cybersecurity risks under proposed updates to regulations from New York state’s Department of Financial Services.
The proposal would require board approval of cyber policies at banks, insurers, and other financial institutions meeting a certain size threshold laid out by the regulator. Companies would have to disclose whether their directors have expertise to oversee security risks or they rely on outside cyber consultants.
A public comment period for the proposed amendments, published July 29, is open for feedback before finalization. They would update New York’s first-of-their-kind cybersecurity rules for financial institutions, which went into effect in 2017. Companies that run afoul of the rules risk NYDFS fines.
The regulator’s emphasis on board involvement in cyber risk governance is evidence that threats from ransomware and other kinds of hacks are too broad for security experts to oversee on their own, said Luke Dembosky, a partner at Debevoise & Plimpton LLP who previously worked on cyber cases for the US Justice Department’s national security division.
“There’s a recognition that these are whole-of-company risks that can’t simply be handled by security personnel,” Dembosky said.
The potential revisions to New York’s cyber rules echo federal proposals. The Securities and Exchange Commission highlighted board cyber expertise in proposed breach-reporting rules that would ramp up pressure on companies across sectors to quickly gauge the business impacts of such events.
One question for companies seeking to comply with the proposed rules is how to define cyber expertise at the board level, said Melissa Krasnow, a partner at VLP Law Group LLP focused on privacy and data security.
“How do you demonstrate that?” Krasnow asked. She suggested that companies subject to the New York rules may press for more detail on what counts as cyber expertise during the feedback period.
Public company boards rate cyber threats among their top challenges, according to a survey from the National Association of Corporate Directors. Most directors report that their board’s understanding of cyber risk is improving. Directors also increasingly see a benefit in bringing on a cybersecurity-savvy director due to the rapidly changing threat landscape and heightened regulatory scrutiny, the survey shows.
Still there’s a “disconnect” between the way that cyber executives talk about threats and the way that boards understand risk, said Chris Hetner, a former SEC cyber adviser who currently advises members of the director association on cyber issues. He also is on the Insights Council of Nasdaq’s Center for Board Excellence and advises on cyber risk management through the Chertoff Group.
Hetner said the New York regulator’s proposal could go a step further toward forcing companies to contextualize cyber risks in terms of their potential to interrupt business, incur costs for repairing systems, and damage relationships with partners or customers.
“Cyber metrics are highly technical,” he said. “They’re not capturing the relationship between risks and the balance sheet.”
Under the New York proposal, cybersecurity executives would need to give directors timely alerts of significant cyber issues or events. They would also be required to report to the board each year on cyber risks and defenses as well as on plans for filling in security gaps.
Financial institutions would have 72 hours to tell the regulator about any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the company’s information system. Materiality is a standard for information that an investor is likely to consider relevant to their decision-making.
The proposal would direct regulated financial institutions to alert the state regulator within 24 hours of making a ransom payment to a hacker. This requirement is similar to a ransomware payment disclosure mandate included in a new federal cyber breach reporting law that covers providers of critical infrastructure such as energy and water utilities.
In New York’s latest proposal, financial institutions also would need to explain why a ransom payment was necessary, which alternatives were considered, and how federal sanctions implications were assessed.
The state financial regulator has urged businesses it oversees not to pay ransoms when hackers lock up their systems and demand payment to restore access. Policymakers have grappled with whether to forbid ransomware payments to take away the financial incentive for hackers.
“This stops short of that,” said Erez Liebermann, a Debevoise & Plimpton partner who previously worked as in-house cyber and privacy counsel at Prudential Financial. “But it sends the message that it should be well thought out.”