As written by SmartEdgeLaw Group Attorney Richard Santalesa, in the September 30, 2016 IAPP Privacy Tracker and Daily Dashboard – at https://iapp.org/news/a/proposed-cybersec-regulations-for-new-york-financial-institutions-have-a-broad-reach/
Proposed cybersec regulations for New York financial institutions have a broad reach
Privacy Tracker | Sep 30, 2016
New York state’s long-awaited Cybersecurity Regulations For Financial Services Companies, issued by the New York State Department of Financial Services on Sept. 13, will impose significant data and information security requirements on what NYDFS considers “regulated financial institutions” within its specific jurisdiction.
A 45-day public notice and comment period began Sept. 28 when the regulations were published in the New York State Register (in summary and in full). After the public comment period the regulations, as codified at 23 NYCRR Part 500 (Financial Services Law) unless further modified, will go into force Jan. 1, 2017, with the mandates taking full effect 180 days thereafter.
As a starting point, while the regulations ostensibly apply only to New York-regulated financial institutions, NYDFS defines “regulated financial institutions” to include any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” That covers a broad territory; see Who We Supervise.
Beyond this, these requirements will be pushed onto any third-party service provider with access to an RFI’s nonpublic information or information systems, as each is broadly defined. The result is, third-party vendors that provide services to New York RFIs, regardless of where they are located, will, come next July, be mandated to take on new and potentially expansive burdens. In turn, many RFI service agreement templates will need to be modified along with existing contracts amended to comply with the regulations’ requirements.
The NYDFS responded to various recommendations it received over the past two years in formulating the regulations by adopting a “risk based” approach overall, but layered on surprisingly granular and specific security requirements.
In essence, the regulations focus on minimizing “cybersecurity events” affecting “nonpublic information” concerning RFI’s “information systems” as each are defined by the regulations. And the definition of nonpublic information is surprisingly broad. As defined in Sec. 500.01(g), NPI includes all nonpublic electronic information that contains traditional personally identifiable information elements, health information, financial transaction information, and what is generally known as nonpublic financial information under the Gramm-Leach-Bliley Act. It also includes “any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.”
This last item goes far beyond typical definitions of PII, personal data or confidential information regulated by privacy and data security statutes or vendor contracts and is certain to generate significant negotiations with vendors when finalizing reg-compliant data security exhibits to vendor service agreements.
As a whole, the regulations serve up a long laundry list of items RFIs will need to examine, implement or fulfill, including:
- Creating and maintaining a cybersecurity program (Sec. 500.02), including data mapping, and a written cybersecurity policy (Sec. 500.03), which must address a minimum of fourteen separate topics, including “customer data privacy,” and “vendor and third-party service provider management.”
- Designating a CISO responsible for “overseeing and implementing” the cybersecurity program and “enforcing” the cybersecurity policy. (Notably, this CISO function can be provided by an outside third-party service.)(Sec. 500.04) The CISO must also provide a bi-annual written report to the RFI’s board containing specific details. Given the details required, RFIs will be correctly concerned that the CISO report “shall be made available to the [NYDFS] superintendent upon request.” (Notably, in many companies chief privacy officers handle one or both of these areas in conjunction with a CISO, while the CISO often ultimately “owns” the cybersecurity program overall.)
- Conducting annual penetration testing and quarterly vulnerability assessments of information systems (Sec. 500.05).
- Implementing and maintaining significant audit trail logging and systems that meet the specific requirements in Sec. 500.06, including maintaining audit trail records for “not fewer than six years.”
- Requiring specific access privilege controls and limitations on access to NPI (Sec. 500.07),
- Generating written procedures, guidelines and standards for in-house development to ensure secure development practices and security testing of all “externally developed applications” used (Sec. 500.08). (How this is going to apply to cloud applications remains to be seen.)
- Conducting detailed and documented risk assessment of all of the above programs, policies and systems at least annually (Sec. 500.09).
- Employing cybersecurity personnel “sufficient to manage the Covered Entity’s cybersecurity risk …” and requiring them to attend regular cybersecurity “update and training sessions” (Sec. 500.10). (How does an RFI demonstrate to the NYDFS that “sufficient” personnel are engaged?)
- Implementing detailed policies and procedures “designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties” (Sec. 500.11).
- Requiring multi-factor authentication (Sec. 500.12) for: (i) all external access to Information Systems, (ii) privileged access to databases containing NPI (recall how broadly NPI is defined), (iii) and “risk-based authentication” for access to “web applications that capture, display or interface with NPI.” (Arguably this includes every employee and customer login.)
- Mandating data retention limits for NPI and requiring “timely destruction” of such information when it is “no longer necessary for the provision of the products or services” (Sec. 500.13).
- Implementing training and monitoring to detect unauthorized access to NPI and require that all personnel attend “regular cybersecurity awareness training” that is “updated to reflect risks identified” by the annual risk assessment (Sec. 500.14).
- Encrypting all NPI held or transmitted by the RFI both in transit and at rest (Sec. 500.15). Where current encryption is infeasible RFIs may apply “appropriate alternative compensating controls” for one year from the regulations’ effective date for encryption in transit and for five years for encryption at rest.
- Creating a written incident response plan, as part of the cybersecurity program, addressing at minimum seven detailed areas.
- Providing notice to the NYDFS superintendent within 72 hours of any cybersecurity event that “has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” An RFI must also provide notice within 72 hours when it has “identified any material risk of imminent harm relating to its cybersecurity program.” (This is an unheard of notification requirement. Note that under existing NY law, when there has been breach of computerized data involving personal information, a breached entity must already notify the NY attorney general, the NYS Division of State Police and the NY Department of State’s Division of Consumer Protection. And add on the NYDFS for RFIs.)
- Certify annually by Jan. 15 of each year – using the form provided in the regulations – that the RFI is compliant. And also documenting in the certification any remedial efforts planned and underway to address any systems or processes.
Clearly, the above details an extremely robust regime that is likely to be neither trivial, nor cost-free to accomplish.
The rubber will really meet the road externally for RFIs through operation of Sec. 500.11, Third Party Information Security Policy.
In short, 500.11 requires “minimum cybersecurity practices” to be met by third party vendors and an assessment by RFIs of third parties’ cybersecurity practices at least annually. Many RFIs already regulated by the alphabet soup of federal financial oversight agencies (e.g., SEC, OCC, FFIEC, FDIC, CFSB, FTC, etc.) may already be doing such third-party vendor management items. However, these regulations go beyond to require, where applicable, “preferred provisions to be included in contracts with third party service providers” addressing: MFA, encryption in transit and at rest, prompt notice to the RFI, id protection services for customers resulting from the third party service provider’s “negligence or willful misconduct” and, “representations and warranties” that the service or product is virus and malware free. Lastly 500.11(6) requires that an RFI “or its agent [have the right] to perform cybersecurity audits of the third party service provider.” This is likely to be an issue for many, if not all, smaller service providers. Get ready for some interesting negotiations between RFIs and service provider vendors next year.
The regulations do provide a “Limited Exemption” for those RFI’s that meet all of the following: (1) fewer than 1,000 customers in each of the last three calendar years, and (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and (3) less than $10,000,000 in year-end total assets. Entities that meet all three get a pass from having the regulations apply to them.
Even with this carveout, New York regulated financial institutions – and their vendors and service providers – may have some heavy lifting to do starting Jan. 1, 2017. Stay tuned.