With a compliance date a few months away, licensees of the New York Department of Financial Services (DFS) must start taking action in response to coming cybersecurity requirements, which will be more onerous and difficult than any existing requirements in the United States. Even though the revised proposed regulation, published December 28, 2016 and available here, is open for comment until January 27, 2017, the DFS will focus on new comments that were not raised in the original comment period. As the original comment drew 150 comments addressing nearly every aspect of the proposed regulation, it is unlikely that new comments will result in further substantive changes that would justify delaying a licensee’s planning. This article identifies who will be subject to the new requirements, what is required and by when, and what steps should be taken to comply.
The new requirements deserve attention from persons and companies in the banking, insurance, securitiesand other regulated financial industries, as it is likely that other states will look to the New York requirements as a model. The New York requirements also serve as a new and robust checklist for any business to consider for improving its cybersecurity risk profile.
I. Who is Affected?
Nearly any DFS licensee: The proposed regulation applies to Covered Entities, defined to mean each individual or non-governmental entity that operates or is required to operate under a license, registration or other authorization under the New York banking, insurance or financial services laws. There is a limited exemption from many (but not all) of the requirements for Covered Entities with fewer than 10 employees (including independent contractors), or less than $5 million in revenue in each of the past three years, or less than $10 million in assets (including affiliates). Exempt from nearly all of the requirements is any person or entity that does not directly or indirectly have any Information Systems or any Nonpublic Information. A Covered Entity that is an employee, agent, representative or designee of a Covered Entity and is covered by the cybersecurity program of the Covered Entity is exempt from the regulation. Covered Entities claiming an exemption must file a Notice of Exemption on a prescribed form.
II. What Systems and Information must be Protected?
Information Systems: Resources used to collect, process and otherwise handle electronic information, and also any specialized systems such as for industrial/process controls, telephone switching, private branch exchange and environmental control.
Nonpublic Information: Electronic information that is not publicly available, (i) the tampering with which, or unauthorized disclosure, access or use of which, would have a material adverse impact on the Covered Entity; (ii) personal information (as the term is commonly used in other privacy and security requirements); or (iii) health related information.
III. What is Required?
A. Administrative Safeguards
1. Risk Assessment. A risk assessment is required periodically, to include: (i) evaluating and categorizing cybersecurity risks and threats; (ii) assessing the confidentiality and security of Information Systems and Nonpublic Information; and (iii) mitigating identified risks. While not repeated throughout this summary, and not listed first in the regulation, nearly every other administrative and technical requirement of the regulation is tied to the risk assessment.
2. Cybersecurity Program. A cybersecurity program must be designed to protect the confidentiality, integrity and availability of the Covered Entity’s information systems, based on the required risk assessment, and to perform stated core cybersecurity functions.
3. Cybersecurity Policy. A cybersecurity policy approved by a senior officer or the governing board must provide for the protection of Information Systems and Nonpublic Information, based on the required risk assessment, and cover 14 specified areas including data governance and classification, systems and network security, data privacy and incident response.
4. Vendor Management. Policies and procedures must be adopted to protect the security of Information Systems and Nonpublic Information accessible to third party vendors.
5. Personnel, Training and Monitoring. A qualified individual must be designated as the Chief Information Security Officer (CISO), responsible for the cybersecurity program and the cybersecurity policy. The CISO must report at least annually in writing to the Covered Entity’s governing board concerning cybersecurity. Other cybersecurity personnel must be engaged, trained, and updated on cybersecurity risks, and all personnel must have regular cybersecurity awareness training. The Covered Entity must also implement safeguards to monitor the activity of Authorized Users and detect unauthorized access to, use of, or tampering with Nonpublic Information.
6. Access Control. User access to Information Systems must be limited, and periodically reviewed.
7. Application Security. All internally and externally developed applications must be secure, and procedures related to application security must be reviewed, assessed and updated periodically.
8. Testing and Auditing. Monitoring and testing of Information Systems for vulnerabilities must be conducted, including an annual penetration test and bi-annual vulnerability assessments. Systems able to reconstruct material financial transactions must be maintained. Records of Cybersecurity Events (which include unsuccessful attempts) must be maintained for five years.
9. Data Retention and Destruction. Personal information and health information no longer needed to be retained must be securely destroyed.
10. Incident Response Plan. A written incident response plan must be established to guide the response to, and recovery from, Cybersecurity Events.
B. Technical Safeguards
1. Encryption. Generally, Nonpublic Information held or transmitted by the Covered Entity must be encrypted, both in transit and at rest. To the extent that encryption is determined to be infeasible, alternative compensating controls may be substituted, subject to review by the CISO at least annually.
2. Multi-Factor Authentication. To protect against unauthorized access to Nonpublic Information or Information Systems, each Covered Entity must use Multi-Factor Authentication or Risk-Based Authentication (as these terms are defined in the regulation). As an alternative, the CISO can approve other access controls that are at least as secure.
1. Breach Notices. Notice is required to the DFS superintendent as promptly as possible but no later than 72 hours from a determination that a Cybersecurity Event has occurred, where notice is required to any other governmental or supervisory body, or self-regulatory agency, or where the event has a reasonable likelihood of materially harming any material part of the Covered Entity’s operations.
2. Annual Compliance Certification. An annual compliance certification on the prescribed form must be submitted to the DFS superintendent by February 15 of each year, starting in 2018. Documentation supporting the certificate must be maintained for examination by the DFS for five years.
3. Confidentiality. All information provided by a Covered Entity pursuant to the regulation is exempt from disclosure under public records laws.
IV. When are the New Requirements Effective?
The regulation will be effective March 1, 2017, and Covered Entities will have until September 1 to comply. The following listing indicates the actual compliance date for the various requirements, given the separate deadline for the annual compliance certificate, and three different transition periods of the regulation.
Provision (with Regulation Section reference)
September 1, 2017
- Cybersecurity Program (§ 500.02)
- Cybersecurity Policy (§ 500.03)
- CISO (§ 500.04(a))
- Access Privileges (§ 500.07)
- Cybersecurity Personnel (§ 500.10)
- Incident Response Plan (§ 500.16)
- Notice of Cybersecurity Event (§ 500.17(a))
- Filing for Limited Exemption (§ 500.19(d))
February 1, 2018
Annual Compliance Certification (§ 500.17(b))
March 1, 2018
- CISO’s annual report to the governing board (§ 500.04(b))
- Pen Testing and Vulnerability Assessments (§ 500.05)
- Risk Assessment (§ 500.09)
- Multifactor Authentication (§ 500.12)
- Cybersecurity Awareness Training for all Personnel (§ 500.14(a)(2))
January 1, 2019
- Audit Trail (§ 500.06)
- Application Security (§ 500.08)
- Data Retention Limits (§ 500.13)
- Monitoring and Detection of activity of Authorized Users (§ 500.14(a)(1))
- Encryption (§ 500.15)
March 1, 2019
Third Party Vendor Security (§ 500.11)
V. What Steps should be Taken?
Each Covered Entity should start now to review existing programs, policies and procedures to determine what is needed to satisfy the new requirements by the compliance dates mapped above. It is difficult to imagine any Covered Entity that would not have to take some action to comply with the new requirements. The following project steps are suggested for consideration by Covered Entities:
- Determine whether or not the limited exemption for small businesses, or one of the other exemptions, would apply.
- Identify and gather the project team, consisting of internal decision makers, IT personnel and internal and experienced external legal and regulatory resources.
- Identify outside resources that will be required for various functions, such as pen testing.
- Catalogue all existing programs, policies and procedures related to cybersecurity.
- Assign team members responsible for reviewing and, as necessary, revising each existing program, policy and procedure, and to draft any new documentation needed to comply with the new requirements.
- Map the timeline of deliverables to achieve compliance by the effective date and the various transition dates.