The financial services industry has been dealing with requirements for cybersecurity since 1999, but 2017 brought new, significant, and proliferating obligations. The bar for the whole industry was clearly raised by the unilateral action of the New York Department of Financial Services (DFS), which adopted a new regulation, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), effective March 1, 2017. The DFS Cybersecurity Regulation imposes significant new responsibilities on DFS licensees (which includes insurers and producers, banks, mortgage lenders and brokers, and others) over a transition period ending in 2019.
Taking up the mantle, the National Association of Insurance Commissioners (NAIC), which had been working on a model information security law for two years, essentially scrapped its prior drafts and, in October 2017, adopted much of the terminology and concepts of the DFS Regulation to promulgate a model law that would not create substantial inconsistencies with the DFS. In fact, a drafter’s note to the NAIC Model specifies that compliance with the DFS Regulation would be deemed compliance with the NAIC Model. There are, however, important differences and distinctions between the two regimes, and it is certainly possible that states will adopt the NAIC Model with their own revisions that could create additional inconsistencies, which would complicate compliance, and drive up the cost.
The NAIC Model, if and as adopted into law by the various states, would apply to licensees of state insurance regulators. The DFS Regulation applies to all DFS licensees (as well as those required to obtain DFS permits, registrations, and other authorizations), including licensees in the insurance, banking and other financial services industries, but does not include securities firms, which are not, in New York, licensed by the DFS. It is interesting to note that the Colorado Division of Securities and the Vermont Securities Division have adopted regulations, similar in many respects to New York’s, but specific to the securities industry. Between the NAIC Model and other state initiatives, the technical cybersecurity requirements for the financial services industry may certainly be expected to proliferate. Even for financial services participants outside the insurance industry, and for those in jurisdictions that may not take immediate action to adopt the NAIC Model, a review of the new duties would be well-advised, as the themes, if not the actual technical requirements, should be addressed in any serious cybersecurity program.
The following is a description of some of the critical provisions of the DFS Regulation and the NAIC Model, and the differences and nuances between them.
- Information Security Program. Both the DFS Regulation and the NAIC Model require the adoption of an Information Security Program (called a Cybersecurity Program in the DFS Regulation) to govern the protection of data and systems. One of the important developments of the DFS Regulation and the NAIC Model is the recognition that cybersecurity must go further than protection of information, and must protect information and operating systems. Both the NAIC Model and the DFS Regulation contemplate that the program should take into account the size and sophistication of the licensee, and the nature of its risks, although the NAIC Model is more explicit on this point.
- Risk Assessment. Under both regimes, the Information Security Program itself, and the other, related policies and procedures, are to be based on a risk assessment. The DFS Regulation is far more specific on the technical requirements for a risk assessment, including that it must be conducted in accordance with written policies and procedures.
- Qualified and Trained Personnel. As cybersecurity cannot be addressed with exclusively technical solutions, and as human error plays so prominently as a cause of compromises, both the DFS Regulation and the NAIC Model impose responsibilities related to personnel. The DFS obligations concerning personnel are far more exacting and onerous, but both require the designation of a specific person to be responsible for cybersecurity, and the implementation of awareness training for all personnel.
- Access Control. A key element of any cybersecurity program, controlling access to information systems, is a specific requirement of both the DFS Regulation and the NAIC Model.
- Encryption. While the NAIC specifically requires encryption only of certain data transmitted over a public network, and stored on laptops and other mobile devices, the DFS Regulation also requires encryption of data at rest (e.g., on desktops and servers, or in storage), with some flexibility for compensating controls where encryption is not feasible.
- Notification of certain Cybersecurity Events. Consistent with the new European regime under the General Data Protection Regulation, both the DFS Regulation and the NAIC Model require notification to the regulator of certain compromises of data and systems within 72 hours. Both also leave the obligation to notify affected individuals and other parties to the general breach notification statutes, except that the NAIC Model also requires 72 hour notice by reinsurers to ceding insurers.
- Annual Certification of Compliance. Under both the DFS Regulation and the NAIC Model, annual certificates of compliance must be filed with the regulator. It is important to note, however, that the certification requirement of the NAIC Model applies only to insurance companies, and not to other licensees such as producers and others.
- Exemptions. Both the DFS Regulation and the NAIC Model contain exemptions for certain reinsurers, captives and others, but the DFS Regulation contains several additional, important exemptions. For example, while the NAIC Model would exempt licensees with fewer than 10 employees, the small business exemption of the DFS Regulation also contains an asset and revenue threshold below which a business is exempt. This could reflect the fact that the NAIC Model has expressly provided that its obligations are to be based on the size and sophistication of the licensee; the DFS Regulation has less built-in flexibility. It is important to note that the DFS exemptions for certain covered entities are only partial, and still require compliance with significant elements of the DFS Regulation. Significantly, the NAIC Model exemptions are self-executing, while several of the exemptions under the DFS Regulation require the filing of a notification of exemption.