The New York State Department of Financial Services promulgated proposed cyber security requirements to respond to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” While the DFS stated its appreciation for the fact that many firms have proactively imposed their cybersecurity profile, it determined that certain minimum standards are warranted to ensure the safety and soundness of financial institutions and the protection of customers. Certain elements of the proposed regulation are common to existing requirements found in other jurisdictions and applicable to a broader range of companies. The proposed regulation, however, which is focused on the financial services industry, moves far beyond existing requirements and imposes additional obligations that will be both uncommonly burdensome and potentially risky.
Scope of the Proposed Regulation
The proposed regulation applies to any individual or company operating or required to operate under a “license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law of the State of New York,” referred to within the proposed regulation as a “Covered Entity.” The proposed regulation is designed to protect all "Nonpublic Information," meaning electronic information that is not “Publically Available Information” (as defined by the proposed regulation), as well as the Covered Entity’s Information Systems. For this purpose, Information System is defined to include “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination for disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” Thus, the scope of the requirements far exceeds the more common concepts of Personal Information and the systems on which it resides.
What is required?
Cybersecurity Program and Policy. The proposed regulation requires each Covered Entity to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program must (1) identify internal and external cyber risks, (2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems and Nonpublic Information, (3) detect Cybersecurity Events, (4) respond to Cybersecurity Events, (5) recover from Cybersecurity Events and (6) fulfill regulatory reporting obligations. Each Covered Entity must also adopt a cybersecurity policy, which must address, at a minimum, 14 specific areas, including data governance and classification, access controls and identity management, risk assessment and incident response. On at least an annual basis, the cybersecurity policy must be reviewed by the Covered Entity’s board of directors and approved by a senior officer.
CISO. Each Covered Entity is also required to designate a chief information security officer (CISO), which function may be outsourced if certain requirements are met. The CISO is required to report on at least a biennial basis to the board of directors of the Covered Entity. Although other requirements for information security (the Massachusetts data security regulation, for example) impose similar types of requirements, the breadth and specificity of the proposed regulation is, currently, unique.
Assessments and Testing. The cybersecurity program must provide at least quarterly vulnerability assessments and annual penetration testing. Among other requirements, there must also be a risk assessment conducted at least annually and written policies and procedures related to vendors and other third parties that have access to the Information Systems or Nonpublic Information of the Covered Entity.
Encryption. The proposed regulation also imposes specific encryption requirements, requiring the encryption of all Nonpublic Information both in transit and at rest, with a one year grace period for Nonpublic Information in transit and a five year grace period for Nonpublic Information at rest, so long as appropriate alternative compensating controls are implemented. Note that Nonpublic Information is defined much more broadly than the typical definitions of personal information, personally identifiable information, or protected health information used in most encryption requirements.
Incident Response Plan. Each Covered Entity is required to have a written incident response plan to guide its response to and recovery from any Cybersecurity Event. The plan must address seven areas specified in the proposed regulation.
Reporting Requirement. Of particular significance is the requirement to report any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity, or that affects Nonpublic Information, to the DFS superintendent as promptly as possible but in no event later than 72 hours. Given that the definition of Cybersecurity Event includes attempted attacks on data or systems, this notification requirement could impose significant burdens on both covered entities and the DFS itself. We note that while this requirement is triggered only by Cybersecurity Events that have a reasonable likelihood of material of affecting the Covered Entity, or that affects Nonpublic Information, a Covered Entity’s determination of effect will presumably be reviewed in hindsight, and Covered Entities may therefore err on the side of over-reporting, or risk being second-guessed in their determination.
Limited Exemption for Small Entities
The proposed regulation provides a limited exemption for Covered Entities with all of the following: fewer than 1,000 customers in each of the last three calendar years, less than $5M dollars gross annual revenue in each of the last three years, and less than $10M dollars in year-end total assets, including assets of all affiliates. Exempted Covered Entities must still comply with the requirements for a cybersecurity program and a cybersecurity policy, limits on access to Information Systems, annual risk assessments, the third party information security requirements, limitations on data retention and the notices to superintendent.
The proposed regulation will be posted for office comment in the New York State Register for 45 days beginning on September 28, 2016. Entities that may be subject to the proposed regulation should carefully analyze its new requirements and, as appropriate, consider providing comments before it becomes effective.
Theodore Augustinos is a Partner in Locke Lord’s Hartford office. He can be reached at firstname.lastname@example.org.