New York State Department of Financial Services (DFS) first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyber-attacks is now in effect. DFS Cybersecurity requires banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Superintendent Vullo. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.” New York, Financial Services Superintendent Maria T. Vullo
..."Companies must disclose, within 72 hours, to the Secretary of DFS any cybersecurity event that either (1) must be disclosed to another government or self-regulating agency, or (2) has a “reasonable likelihood of materially harming any material part” of the normal operations of the company"
Corporate Governance: The DFS regulation requires engagement at the top of an organization. The regulation provides that senior management and boards of directors “must take” cyber security issues “seriously and be responsible for an organization’s cybersecurity program.” This obligation starts with the creation of a cybersecurity policy—the framework for protecting a company’s IT network and most sensitive information. Covered companies must also designate a Chief Information Security Officer (“CISO”), who must report to the board annually. The cybersecurity policy must be in place, and the CISO designated, by August 28, 2017.
Testing and Assessments: The regulation requires companies to conduct a number of cybersecurity tests and analyses. First and foremost, companies will have to perform a “risk assessment.” The risk assessment must “evaluate and categorize risks,” evaluate the integrity and confidentiality of the company’s information systems and non-public information and develop a process to mitigate any identified risks.
Companies must also conduct annual penetration testing and bi-annual vulnerability testing. Each of these tests and assessments must be conducted by March 1, 2018.
Day-to-Day Requirements: The regulation’s day-to-day and technical requirements are substantial and detailed. Among others, companies must develop access controls for their information systems, ensure the physical security of computer systems, encrypt or protect personally identifiable information, perform reviews of in-house and externally created applications, train employees, and build an audit trail system. The timeline to ensure compliance with these rules ranges from one year to eighteen months.
Third-Party Rules: The new regulation not only contains extensive requirements for covered entities but also regulates third-party vendors with access to an institution’s IT network or non-public information. Covered banks and insurers are required to develop and implement written policies and procedures to ensure the security of IT systems or non-public information that can be accessed by their vendors. At a minimum, these policies must identify the risks from third-party access, impose minimum cybersecurity practices for vendors, and create a due-diligence process for evaluating those vendors. Covered entities will have two years to satisfy these extensive requirements.
Notification Requirements: Finally, the new regulation includes a mandatory notification process for any material cybersecurity event. Within 72 hours, companies must report to the DFS a cybersecurity event that has a “reasonable likelihood” of “materially harming” the company or that must be reported to another government or self-regulating agency. In addition, companies—through a certification from either the board or a senior officer—must annually attest to their compliance with the DFS regulation.
The final regulation also provides some relief from the regulation’s strict requirements for a number of entities including:
- Companies that earn less than $5 million in gross revenue in New York (in each of the past three years), that have less than $10 million in year-end total assets from all operations, or that have fewer than ten employees in New York (including independent contractors) are exempt from a number of the regulation’s provisions.
- Companies that do not have information systems and access to nonpublic information are, likewise, exempt from a number of the DFS requirements.
- Captive insurance companies—both pure and group captive insurers—are also exempt from many of the DFS requirements.
- And, subject to certain limitations, the regulation exempts a small number of entities from the regulation, including Rule 125 certified and accredited reinsurers.
On Dec. 28, 2016, the New York State Department of Financial Services (“NYDFS”) issued revisions to its proposed regulation that would impose new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each a “Covered Entity”) regulated by the NYDFS (the “Proposed Regulation”). The Proposed Regulation’s effective date was delayed two months, from Jan. 1, 2017 to March 1, 2017. In the meantime, a new 30-day public comment period will run until Jan. 27, 2017.
Even as revised, the Proposed Regulation still exceeds what other regulators have suggested, much less required, and given the scope and footprint of many New York financial institutions, the impact of the Proposed Regulation will likely far exceed the state of New York. However, the NYDFS did make several significant modifications, mostly in response to industry concerns. This post focuses on those changes. For more information on the aspects of the Proposed Regulation that remain unchanged, please refer to our Sept. 15, 2016 post on the original version.
(As summarized by Harvard Business School)
Tailored to Risk
Proposed Regulation now makes clear that while all Covered Entities are required to maintain a cybersecurity program and a written cybersecurity policy, a particular Covered Entity’s program and policy should be based on the findings of its own Risk Assessment. Similarly, it is now clear that:
- Penetration testing and vulnerability assessments are to be tailored towards the risks and vulnerabilities identified in the Risk Assessment, and such testing and assessments are not necessary if the entity otherwise maintains “effective continuous monitoring, or other systems to detect, on an ongoing basis, changes … that may create or indicate vulnerabilities”;
- Audit trail systems are only required to the extent applicable and should be based on the Risk Assessment;
- Limitations on user access privileges to systems that provide access to “Nonpublic Information” should be based on the Risk Assessment;
- The required components of policies and procedures regarding the security of systems and information accessible to, or held by, third parties will depend on the applicable facts and the Risk Assessment;
- Whether multifactor authentication should be used to protect against unauthorized access will be determined based on the Risk Assessment; and
- The decision to encrypt Nonpublic Information or to employ alternative compensating controls should be determined based on the Risk Assessment.
Secure “Nonpublic Information” from misuse, disruption, and unauthorized access, and the original version of the Proposed Regulation defined such information very broadly (e.g., far broader than what New York’s existing data protection law defines as “private information”). Accordingly, many of those commenting on the Proposed Regulation complained that it was overbroad, unclear or unnecessarily inconsistent with other existing standards. In response, the NYDFS revised the definition, significantly decreasing its scope.
Nonpublic Information to include any information (unless otherwise available to the general public from government records or widely distributed media):
that an individual provides to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, or is about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, or a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual.
The definition is limited to merely any information (again, unless otherwise available to the general public from government records or widely distributed media):
concerning an individual which because of name, number, personal mark or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number; (ii) driver’s license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records.
Apart from the addition of “biometric records,” the amended language is substantially the same as the definition of “private information” in New York’s general data breach notification statute. However, overall, the definition of Nonpublic Information is still broader than “private information” because the definition includes: (1) healthcare information; and (2) “[b]usiness related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact on the business, operations or security of the Covered Entity.”
Encryption of Nonpublic Information
In a significant change, the Regulation now allows Covered Entities to either encrypt Nonpublic Information or use alternative compensating controls. As originally drafted, the Proposed Regulation would have permitted the use of compensating controls only for a limited transition period—one year to start encrypting data in transit and five years to commence encrypting data at rest. Now, the Proposed Regulation permits the use of alternative compensating controls indefinitely, provided such controls are reviewed and deemed effective by the Covered Entity’s chief information security officer (“CISO”). Moreover, to the extent that encryption is not used, the CISO must review “the feasibility of encryption and effectiveness of the compensating controls” at least annually. The Proposed Regulation now also clarifies that information in transit refers to transit “over external networks.”
Chief Information Security Officer
The Regulation requires that each Covered Entity designate a CISO to oversee and implement the Covered Entity’s cybersecurity program and written cybersecurity policy. Some commentators expressed concerns regarding the feasibility or practicality of hiring or appointing an individual whose exclusive job would be to serve as CISO, under that specific title. In response, the NYDFS clarified the Proposed Regulation to provide that the person carrying out the duties of the CISO does not need to be exclusively dedicated to such activities and does not need a specific title. In fact, the revisions explicitly permit the CISO requirement to be satisfied by an employee of an affiliate or third-party service provider (subject to certain requirements).
As originally drafted, the Regulation required Covered Entities to maintain sufficiently detailed records to be able to, among other things:
- Completely reconstruct all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to attempted and actual attacks; and
- Track and maintain data logging of all authorized user access to critical systems, including all physical access to hardware, that allows for event reconstruction.
Some commentators argued that this extensive audit trail requirement was excessive and would lead to the retention of too much information. In response, the NYDFS significantly reduced the requirement by adding multiple materiality qualifiers and, as noted above, tying it to the Covered Entity’s Risk Assessment. Moreover, the applicable record retention period was shortened from six years to five, consistent with the retention requirements of other aspects of the Proposed Regulation.
The Regulation required Covered Entities to securely dispose of Nonpublic Information when it was no longer necessary for the provision of the products or services to which such information relates, except when maintenance of the information was required by law. A number of commentators asserted that this exception was too narrow, as it did not take into account other legitimate business purposes for which data may ordinarily be retained. In response, the NYDFS modified the Proposed Regulation so that the permissibility of data retention is not tied solely to the specific product or service at issue. Instead, data may be retained whenever necessary “for business operations or for other legitimate business purposes.” As revised, the data destruction requirement now also includes a feasibility exception. Secure disposal need not occur “where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”
Third Party Service Providers
The Regulation required Covered Entities to (a) implement written policies and procures to ensure the security of systems and Nonpublic Information accessible to, or held by, third parties with which they do business (“Third Party Service Providers”); and (b) negotiate for certain “preferred provisions” to be included in contracts with Third Party Service Providers. While the Proposed Regulation still retains the requirement to maintain written policies and procedures, it now makes clear that they should be based on the Covered Entity’s Risk Assessment. For example, whereas previously the Proposed Regulation required a Covered Entity to conduct an annual assessment of each of its Third Party Service Providers and the adequacy of their cybersecurity practices, now such assessments are only required based on the risk a particular Third Party Service Provider presents.
Moreover, in response to the concern expressed by numerous Covered Entities that they would not always have sufficient leverage to force Third Party Service Providers to accept the preferred provisions, the NYDFS modified the requirement to permit the use of “relevant guidelines for due diligence” instead of actual contractual provisions. Further, the NYDFS eliminated a preferred provision that seemed to suggest that Covered Entities were required to conduct cybersecurity audits of all Third Party Service Providers. Significantly, the NYDFS also amended a preferred provision that would have previously required Third Party Service Providers to warrant that no viruses, trap doors, time bombs and other security threats existed. As revised, the Proposed Regulation simply advises Covered Entities to obtain “representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security” of the Covered Entity.
Cybersecurity Event Reporting
The Rule required that all “Cybersecurity Events” that have “a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information” (including any “actual or potential unauthorized tampering with, or access to or use of, Nonpublic Information)” be reported to the superintendent (“Superintendent”) of the NYDFS within 72 hours. Many commentators understandably complained that the requirement was overly broad and, therefore, would result in many reports that were of little value. In addition, many commentators asserted that the 72-hour time frame was too short and would not afford a Covered Entity enough time to gather necessary information prior to reporting.
The Regulation raises Covered Entities’ notification obligations beyond what existing law requires, but it reduces their obligations as compared to the original draft. The requirement that the superintendent be notified “in no event later than 72 hours” remains, but that time period now begins only once the Covered Entity determines that a Cybersecurity Event with “a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity” occurred (unless notice is otherwise required to a government body, self-regulatory agency or other supervisory body, in which case the Covered Entity must notify the NYDFS within 72 hours of the determination that the Cybersecurity Event occurred).
The NYDFS added several new exemptions or partial exemption. If a Covered Entity has: (1) fewer than 10 employees or independent contractors; (2) less than $5 million in gross annual revenue each of the past three fiscal years; or (3) less than $10 million in it and its affiliates’ GAAP year-end total assets, it is exempt from the CISO, penetration testing, audit trail, application development, cybersecurity personnel, multifactor identification, training, encryption and incident response plan obligations of the Proposed Regulation. Moreover, a Covered Entity need not adopt its own program if it is an “employee, agent, representative, or designee” of a Covered Entity and is covered under that Covered Entity’s program.
Finally, a Covered Entity that does not directly or indirectly maintain “Information Systems” or have Nonpublic Information is exempt from most requirements of the Proposed Regulation. It must still conduct a risk assessment, develop a written Third Party Service Provider Security Policy, abide by the data retention requirement and provide notice to the Superintendent under the Proposed Regulation.
Any Covered Entity that wishes to benefit from an exemption must file a “Notice of Exemption” with the Superintendent.
Timeline for Compliance
While NYDFS did not change the Regulation’s 180-day conformance period, it did add three exceptions to that deadline.
- First, Covered Entities are now given until March 1, 2018 to comply with:
- The reporting obligations of the CISO;
- The requirement to conduct periodic risk assessments;
- Any requirement to conduct annual penetration testing and bi-annual vulnerability assessments;
- Any requirement to implement multifactor authentication or risk-based authentication; and
- The obligation to provide regular up-to-date cybersecurity awareness training for all
- Second, Covered Entities are now given until Sept. 1, 2018 to comply with:
- Any requirement to maintain audit trail systems;
- The requirements to implement:
- Written procedures, guidelines and standards on application security;
- Policies and procedures for the secure disposal of Nonpublic Information; and
- Policies, procedures and controls to monitor authorized users; and
- Any requirement to encrypt Nonpublic
- Finally, Covered Entities are now given until March 1, 2019 to comply with the requirement to implement written policies and procedures regarding the security of systems and information accessible to, or held by, Third-Party Service