On Sept. 28, 2016, proposed cybersecurity regulations promulgated by the New York Department of Financial Services (NYDFS) were published in the New York State Register (the NY Cybersecurity Regulations). A press release from New York Governor Andrew Cuomo said that these “new first-in-the-nation” regulations would require banks, insurance companies and other financial services institutions to maintain a cybersecurity program designed to protect consumers.

The proposed regulations have yet to take effect and, as of the writing of this article, remain subject to a 45-day comment period. Assuming no further changes to the language of the NY Cybersecurity Regulations, the new rules will go into effect on January 1, 2017.

Existing Laws, Regulations and Guidance

Gramm-Leach-Bliley: Interagency Guidelines

Governor Cuomo’s pride in the Empire State, while understandable, is misplaced in this case. There are in fact existing laws and regulations of long-standing that impose information security obligations on financial institutions. Most notably, the Gramm-Leach-Bliley Act, a federal law enacted in 1999 (GLBA), requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information. Under the authority of GLBA, various financial regulators — such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC) — promulgated the Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) which became effective on February 1, 2001.

The Interagency Guidelines apply to financial institutions such as bank holding companies, national banks, state banks that are members of the Federal Reserve System, savings associations and FDIC insured depository institutions. The Interagency Guidelines require covered financial institutions to maintain a written information security program that includes appropriate administrative, technical and physical safeguards for both the protection of customer information and the destruction of customer information and consumer information (whether such information is in paper, electronic or other form).

Generally speaking, the Interagency Guidelines set forth a flexible, risk-based approach that allows a covered financial institution to determine the security measures that are appropriate for it. The Interagency Guidelines also note that covered financial institutions should have a response program to address incidents of unauthorized access to customer information. As part of such a response program, a covered financial institution should have procedures for assessing incidents of unauthorized data access and notifying regulators, law enforcement and impacted customers regarding such incidents (where appropriate).

Other Regimes Under GLBA

The Interagency Guidelines are not the only GLBA based information security rules. The National Credit Union Association (NCUA) separately adopted Guidelines for Safeguarding Member Information (NCUA Guidelines) under the authority of GLBA prior to the promulgation of the Interagency Guidelines. The NCUA Guidelines apply to federally-insured credit unions. There are no meaningful substantive differences between the NCUA Guidelines and the Interagency Guidelines.

GLBA’s data security requirements also apply to broker-dealers and investment advisors regulated by the Securities and Exchange Commission (SEC), as well as entities regulated by the Federal Trade Commission (FTC) that are substantially engaged in financial service activities. Both the SEC and the FTC have promulgated their own separate data safeguard rules under the authority of GLBA.

FFIEC Examination Handbook

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body consisting of the Federal Reserve, the FDIC, the NCUA, the OCC, the State Liaison Committee and the Consumer Financial Protection Bureau. From time to time, the FFIEC publishes guidance for use by bank examiners of financial regulators. On September 9, 2016, the FFIEC published an updated version of its Information Technology Examination Handbook : Information Security (FFIEC Information Security Booklet). The FFIEC Information Security Booklet, while not having the force of law or regulation, still provides valuable insight into how regulators measure a financial institution’s compliance with the requirements of GLBA and the Interagency Guidelines.

Other State Laws

In addition to GLBA (and the related regulations and regulatory guidance), there are other existing state laws imposing data security obligations on persons and entities (including financial institutions). Some notable examples include:


• a California law requiring businesses that own, license or maintain personal information to implement and maintain reasonable security procedures;

• Massachusetts regulations which require persons or entities owning or licensing personal information to maintain a comprehensive written information security program setting forth administrative, technical and physical safeguards (and if any personal information is electronically stored, the information security program must cover computers and wireless systems); and

• a Connecticut statute which requires any person that conducts business in Connecticut and who possesses another’s personal information to safeguard the data, computer files and documents containing such personal information and to ensure that such data is erased, destroyed or rendered unreadable prior to destruction.

New York’s Cybersecurity Regulation

Governor Cuomo’s claims notwithstanding, it is clear that the NY Cybersecurity Regulations will not be the first regulatory scheme addressing financial institutions’ information security obligations. So, are the NY Cybersecurity Regulations largely duplicative of existing legal requirements and therefore are, at best, unnecessary? Yes … and no.

Below is a brief summary of where the proposed New York regulations are consistent with — and where they differ from — existing laws, regulations and regulatory guidance.

Covered Entities

The proposed regulations will cover any person or entity “operating under or required to operate under a license, registration … or similar authorization under” New York’s banking, insurance or financial services laws (Covered Entities). Note that national banks, banks chartered in other states, Federal credit unions and broker-dealers (among others) would not be Covered Entities.

Scope of Proposal

The NY Cybersecurity Regulations will cover:


•  Information Systems — which include electronic information resources organized for the collection, processing, use and dissemination of electronic information; and

•  Nonpublic Information in electronic form.


Given that its coverage is limited to electronic information (and electronic information processing systems), the NY Cybersecurity Regulations are actually less extensive (in some respects) than GLBA and the Interagency Guidelines (which extend their coverage to information in paper, electronic or other form).

However, GLBA and the Interagency Guidelines limit their coverage to customer information and consumer information (e.g., credit reports and information derived from credit reports). The NY Cybersecurity Regulations define Nonpublic Information to include non-publicly available:

• business information of a Covered Entity (if its unauthorized disclosure would have a material adverse impact on the entity);

• customer (and prospective customer) information;

• information related to the health or health care of individuals;

• can be used to identify an individual (e.g., name & government id); or

• information that is linked or linkable to an individual (e.g., employment related information).

Source: New York’s Proposed Cybersecurity Regulations: An Old Path Or a New Trail?


Japan’s Defense Ministry on Monday denied a report that a military computer network had suffered a high-level cyber attack in September, possibly involving a state actor.

A public affairs official at the ministry said the report wasn’t true, and that it receives numerous suspicious e-mails and other forms of contact believed to be cyber attacks on a daily basis. The official, who declined to be named in line with government policy, also said the ministry doesn’t comment on such attacks as that would expose its ability to deal with them.

Kyodo news had cited ministry sources in an earlier report, which said that the hackers didn’t leave a detailed trail and the extent of the damage was unclear. The news agency said the hackers took advantage of the fact that computers at Japan’s National Defense Academy and National Defense Medical College are connected both to a university network and to an internal network linking military bases.

The report also cited senior military officials as saying the attack was viewed as a crisis. Staff at the ministry and the Self-Defense Forces were temporarily banned from connecting to the Internet after the incident became apparent in September, it said.

The reported attack came two-and-a-half years after the SDF set up their own cyber defense unit.

In 2011, a cyber attack on military contractor Mitsubishi Heavy Industries Ltd. was believed to have targeted defense technology, according to the Nikkei newspaper. Japan’s space agency, JAXA, also suffered cyber attacks in 2013, and a naval officer was convicted in 2008 over the unauthorized sharing of information related to the Aegis missile defense system.

“The cost of launching massive, sustained attacks has dropped because computing power is cheap,” said Jack Midgley, a consultant with Deloitte Tohmatsu Consulting in Tokyo, which cited Japan as one of the five Asia-Pacific nations most vulnerable to cyber attacks in a report earlier this year.

Source: Japan Denies Report of ‘State-Backed’ Cyber Attack on Military