New York State’s long-awaited Cybersecurity Regulations for financial institutions were released last week by the New York State Department of Financial Services (“NYDFS”) for a 45-day public notice and comment period, starting Sept 28, 2016, after which the Regs will go into effect on January 1, 2017, unless modified, as codified at 23 NYCRR Part 500 (Financial Services Law). The official press release is available here. In a nutshell, the good and bad are:
For starters, the Regs are simultaneously high level, see PDF overview “DFS Cybersecurity Regulation Overview“, but also very granular with specific security requirements items, covered below, such as the requirements to appoint a Chief Information Security Officer, annual certification of compliance to the NYDFS, and others – see PDF of “DFS Cybersecurity Regulations Details”).
As a further initial matter, who do the new Regs apply to under the banner of “regulated financial institutions” (“RFI”)? RFI’s for NYDFS purposes include any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” That covers a broad territory, see Who We Supervise.
The Regs do provided “Limited Exemptions” whereby the Regs do not apply to entities that meet all three of the following where the entity has (1) fewer than 1000 customers in each of the last three calendar years, and (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and (3) less than $10,000,000 in year-end total assets.
In essence, the Regs are focused on “Cybersecurity Events” affecting “Nonpublic Information” concerning RFI’s “Information Systems” as each are defined by the Regs. And the definition of Nonpublic Information is extremely broad, including both traditional personally identifiable information elements, health information, what is generally known as nonpublic financial information under GLBA, and then “any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.” Let that sink in a for a moment, because that goes far beyond the data generally regulated by privacy and data security statutes.
The 19-page Regs, as a whole, truly serve up a laundry list of items RFI’s need to examine, implement or fulfill in the areas of:
- creating and maintaining a Cybersecurity Program and Cybersecurity Policy,
- designating a CISO responsible for the Cybersecurity Program,
- conducting annual penetration testing of Information Systems and quarterly! vulnerability assessment of Information Systems,
- implementing and maintaining audit trail systems meeting the specific NYDFS requirements,
- introducing specific access privilege controls and limitations,
- generating written procedures, guidelines and standard for secure development practices involving in-house development and security testing of all “externally developed applications” used,
- conducting detailed and document risk assessment of all of the above programs and policies and systems,
- employing “cybersecurity personnel sufficient to manage the Covered Entity’s cybersecurity risk…” (chew on that requirement for a moment), and requiring them to attend regular cybersecurity “update and training sessions”,
- implementing detailed “policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties doing business with the Covered Entity” – detailed further below,
- requiring Multi-Factor Authentication for: (i) all external access to Information Systems, (ii) privileged access to database Information containing Nonpublic Information (recall how broadly NPI is defined by the Regs), (iii) any access to “web applications that capture, display or interface with Nonpublic Information” (this arguably includes every customer login to online banking etc.),
- data retention limits for NPI and a mandate of “timely destruction” of such information when it is “no longer necessary for the provision of the products or services”,
- detailed training and monitoring to detect unauthorized access to NPI and a requirement that all personnel attend “regular cybersecurity awareness training” that is “updated to reflect risks identified” by the annual risk assessment,
- required encryption of all NPI held or transmitted by the Covered Entity both in transit and at rest, or where current encryption in transit is infeasible applying “appropriate alternative compensating controls” for one year and for data at rest for five years,
- creating a specific Written Incident Response Plan, as part of the Cybersecurity Program, that meets the minimum requirements specified in the Regs,
- providing notice to the NYDFS Superintendent within 72 hours of any Cybersecurity Event that “has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information” and notification within 72 hours of identifying “any material risk or imminent harm relating to its cybersecurity program.” I should have warned you to be sitting down before this section. And note that under existing NY law, when there has been breach of computerized data involving personal information, a breached entity must notify the NY AG, the NYS Division of State Police and the NY Department of State’s Division of Consumer Protection. And now the NYDFS…
- Annual written certification by Jan. 15 of each year (using the form set forth in the Regs) that the Covered Entity is in compliance with the Regs, and documenting any remedial efforts planned and underway to address any systems or processes.
Ok, that’s the downside above. Significant and detailed. And costly. On the plus side, for RFI’s subject to the Regs, the mere existence of the Regs provide significant leverage when negotiating with third party service provider agreements in the area of data privacy and information security. Why? Let’s see.
Third Party Service Providers.
- Now that applicable RFIs have clear statutory requirements detailed above, as part of their negotiation leverage with 3P vendors contracts, they can now say without hyperbole that vendors MUST agree (with details to be negotiated of course) to infosec obligations sufficient for RFI’s to fulfill at minimum, the Reg’s requirements of:
- Identification and risk assessment of third-parties with access to such information systems or such nonpublic information;
- Minimum cybersecurity practices required to be met by such third-parties;
- Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties; and
- Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.
As part of the above, limitation of liability and indemnification requirements from such vendors should be carefully reviewed as part of any negotiations.
To discuss the above or any specific changes to your data security practices, agreements and template, feel free to contact us at firstname.lastname@example.org or 203 307-2665.
Press Release – http://www.dfs.ny.gov/about/press/pr1609131.htm
GOVERNOR CUOMO ANNOUNCES PROPOSAL OF FIRST-IN-THE-NATION CYBERSECURITY REGULATION TO PROTECT CONSUMERS AND FINANCIAL INSTITUTIONS
Proposed Rule Aims to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises
Governor Andrew M. Cuomo today announced that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks.
The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Cuomo.
“This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.” The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.
It requires regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems. More details on the regulation can be found here.
The proposed regulation by the Department of Financial Services includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances. New York State Department of Financial Services Superintendent Maria T. Vullo said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with.
DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”
Prior to proposing this new regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime. Additionally, it met with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors. The findings from these surveys led to three reports which helped to inform the rulemaking process.