For more information, please contact The Ahearne Law Firm, PLLC at (845) 763-4100 for a free initial consultation.
The New York Department of Financial Services (NYDFS) recently proposed a revised regulation to add cybersecurity requirements to those already in existence for banks, insurance companies and other financial services institutions in New York.
The NYDFS first released proposed rules in September 2016, which were set to take effect in January 2017. However, after comment and criticism of the rules by regulated entities, NYDFS revised them. The new regulation takes effect on March 1, 2017, with certain compliance deadlines for the cybersecurity requirements of the rule. Companies should take steps to ensure compliance and to minimize potential business disruption resulting from delayed implementation of new or revised internal policies, procedures or technology. Continued cyber threats to the financial services sector will result in enhanced federal and state regulatory oversight and more new regulations.
NYDFS is accepting comments on the revised proposed regulation and will focus its current review on any new comments not previously raised during the original comment period. Although the NYDFS issued a revised rule after receiving feedback from regulated entities, the department did not address all concerns raised by industry participants. Certain ambiguities still exist with the proposed regulation as drafted. commenters asserted that provisions in the regulation should be made more flexible and risk-based.
The proposed regulation is the first of its kind by a state regulator, and it is likely that other regulators will follow suit. The new regulation adds another level of complexity for managing cyber risk and ensuring compliance, as regulatory oversight increases and new standards continue to emerge in the absence of a unified federal standard.
The regulation makes it clear that cybersecurity is not solely a technology or information security team matter. It comprises an enterprise-level approach to managing cyber risk by expressly imposing responsibility for the cybersecurity program on senior management and requiring not only technical controls, but operational controls, policies and procedures, training programs and reporting to senior management and the board. Included in the new regulation is a list of prescriptive requirements requiring companies to conduct a periodic risk assessment and design a cybersecurity program to appropriately address identified risks:
- develop and maintain a cybersecurity written policy, approved by a senior officer, board of directors or equivalent governing body that must address 14 enumerated areas, including incident response, information security, access controls, vendor management and data privacy
- designate a chief information security officer (CISO) or functional equivalent, responsible for overseeing and implementing the cybersecurity program as well as enforcing the cybersecurity policy
- provide annual reports to the board of directors or equivalent governing body
- perform periodic penetration testing and vulnerability assessments
- maintain audit trail systems for at least five years
- implement technical and policy-based controls, including: 1) access controls, 2) multi-factor authentication, and 3) encrypting data in transit and at rest, or alternative compensating controls, to protect nonpublic information
- implement written procedures, guidelines and standards to ensure application security
- implement written policies and procedures for user behavioral monitoring
- conduct employee training, including targeted training for cybersecurity personnel
- implement written policies and procedures to ensure information security with respect third-party service providers.
- implement a data retention and disposal program
- implement an incident response plan
- provide regulatory notification within 72 hours that a “Cybersecurity Event” has occurred, which is defined as an event 1) of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body, and 2) that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity
- provide annual certification of compliance to the NYDFS
Covered entities will have six months from March 1, 2017 to comply with the new regulation, but the NYDFS has included additional transition periods for certain requirements:
- One year for the annual report to the board of directors, penetration testing and vulnerability assessments, risk assessment, multi-factor authentication and cybersecurity awareness training
- Eighteen months for audit trail, application security standards, data retention and disposal, policies and procedures for user behavioral monitoring as well as encryption
- Two years for third-party service provider written policies and procedures
Affected companies should consider conducting internal risk assessments, purchasing cyber insurance coverage, revising and creating policies and procedures with new definitions and requirements in the NYDFS regulation, evaluating vendor management programs and training personnel and senior management on the new rule. Care should be taken to ensure that assessments do not create risk in and of themselves and focus on complying with the new rule and that necessary internal stakeholders are involved.
If you are affected by the proposed NYDFS rule, you should be advised by legal counsel.