On December 28, 2016, the New York State Department of Financial Services (NYDFS) issued a revised proposed cybersecurity regulation, Cybersecurity Requirements for Financial Services Companies. The revised proposed regulation reflects several substantive changes made in response to over 150 public comments received by NYDFS in response to the original proposed regulation published this past September. These regulations represent the culmination of NYDFS’s multiyear inquiry into the efforts of banking institutions and insurance companies to prevent cybercrime, which included an extensive assessment and review of NYDFS-regulated banks, NYDFS-regulated insurance companies, and third-party vendors. NYDFS is accepting further comments to the proposed regulation through January 27, 2017.
Much like the version proposed in September, the revised regulation is designed to set certain minimum cybersecurity standards and processes to be followed by regulated institutions. We have summarized below the key obligations that the regulations would impose, along with their effective dates, if they are implemented in their current form.
The revised version of NYDFS’s proposed regulation mandates that all regulated NYDFS institutions implement the following.
No later than August 28, 2017:
- The development of a robust cybersecurity program designed to identify internal and external cybersecurity risks, detect cybersecurity events, respond to those events and mitigate any negative effects, recover from a cybersecurity event and fulfill applicable regulatory reporting obligations. A cybersecurity event is defined as an act or attempt to gain unauthorized access to, disrupt or misuse an information system maintained by a regulated entity.
- The implementation of a written cybersecurity policy that has been approved by an entity’s senior officer or its board of directors. The written policy should address the following areas: information security, data governance and classification, asset inventory and device management, access controls, business continuity and disaster recovery, network security, systems and application development, customer data privacy, vendor and third-party service provider management, risk assessment and incident response.
- The designation of a qualified individual to act as a chief information security officer (CISO), who will report to the board of directors.
- A written incident response plan, which shall include internal processes for responding to a cybersecurity event; goals of the incident response plan; clear roles, responsibilities, and levels of decision-making authority; external and internal communications and information sharing; identification of requirements for the remediation of any identified weaknesses; documentation and reporting regarding cybersecurity events and related incident response activity; and the evaluation and revision of the incident response plan following any cybersecurity event.
- Limits on user access privileges to information systems that provide access to nonpublic information.
- The use of qualified cybersecurity personnel to manage the entity’s risks and oversee performance of core cybersecurity functions.
- Notice to the superintendent of NYDFS within 72 hours of a determination that a cybersecurity event has occurred.
No later than March 1, 2018:
- Periodic penetration testing and vulnerability assessments.
- Maintenance of a proper audit trail designed to detect and respond to cybersecurity events.
- Written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for evaluating, assessing and testing the security of externally developed applications.
- A periodic risk assessment to be carried out in accordance with written policies and procedures.
- Unless determined to be infeasible, encryption of data in transit and at rest.
- The use of effective access controls, including multi-factor or risk-based authentication. Unless authorized otherwise by the CISO, multi-factor authentication must be used when accessing internal networks from an external network.
- Provide cybersecurity awareness training to all personnel.
- Prepare a written report on the cybersecurity program and material cybersecurity risks, and present this report to the entity’s governing body.
No later than September 1, 2018:
- An audit trail system designed to reconstruct material financial transactions sufficient to support normal operations.
- Written procedures to ensure the use of secure development practices for in-house applications and procedures for testing externally developed programs.
- Policies and procedures designed to monitor the activities of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information.
- Procedures for the secure disposal of nonpublic information that is no longer necessary for business operations.
On February 15, 2018, and annually thereafter:
- File an annual statement certifying compliance with the regulation with NYDFS.
No later than March 1, 2019:
- The implementation of a written third-party service provider policy. Such policy shall include identification and risk assessment of third-party service providers; minimum cybersecurity practices to be met by those providers; due diligence to evaluate the adequacy of cybersecurity practices of such third-party service providers; periodic assessments; and guidelines to be followed by third-party service providers, including multi-factor authentication, the use of encryption, representations and warranties addressing the providers’ cybersecurity policies, and a requirement that the third-party service providers provide notice of any cybersecurity events.
Significant Changes from September Proposal
In comparison to the regulations originally proposed by NYDFS in September, the proposed regulation allows for more flexibility in the application of the mandated controls, examples of which include the following:
- The transitional period for full implementation of the regulations has been extended and now includes the graduated effective dates outlined above.
- The revised regulation has carved out an exemption for smaller entities that have less than 10 employees, less than $5 million in gross annual revenue for the past three fiscal years or less than $10 million in year-end total assets.
- The revised regulation is less prescriptive in the requirements to be used in maintaining an audit trail. Additionally, the covered period has been reduced from six to five years.
- The definition of nonpublic information has been revised to conform more closely to the definition set forth in New York breach notification laws.
- The requirement to encrypt nonpublic information now includes a feasibility assessment.
- Entities are now required only to respond to and notify NYDFS about “material” cyberattacks, as opposed to all cyberattacks.
- Dual hatting is permitted, and covered entities do not need to designate an individual who will act exclusively as CISO. Instead, covered entities must simply designate an individual who can perform the function of a CISO. The reporting requirement has been relaxed—under the current proposal, the CISO must provide a report to the entity’s governing body once a year.
- Covered entities are permitted to satisfy the requirements through the use of an affiliate’s program.
The regulations—even as modified to ostensibly address the concerns voiced by the financial industry during the previous comment period—would still impose a significant burden on regulated entities if they are implemented as currently proposed. In order to come into compliance, entities would be required to devote resources to performing risk assessments, creating a cybersecurity program and certifying the program to NYDFS. Comments may be submitted either directly to NYDFS or through outside regulatory counsel.