On March 1, 2017, a comprehensive set of new cybersecurity rules adopted by the New York Department of Financial Services (DFS) took effect. The rules require banks, insurers and other entities regulated by DFS to implement a number of specific cybersecurity controls to protect not only personal information but any business information that would cause a data leak or hack to have a material adverse impact on the entity.
Below is a summary of the principal requirements, deadlines and exemptions under the rules, followed by our thoughts on implications for covered entities.
By August 28, 2017
- Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the entity’s information systems.
- Implement a detailed cybersecurity policy.
- Designate a Chief Information Security Officer (CISO).
- Implement user access controls for the entity’s systems and nonpublic information.
- Employ qualified cybersecurity personnel (employees or service providers) sufficient to manage the entity’s cybersecurity program and risks.
- Establish an incident response plan to respond to breaches or attempted breaches of the entity’s information systems and notify DFS no later than 72 hours from determination that such an event would (a) require notice to a government body, self-regulatory agency or supervisory body or (b) be reasonably likely to materially harm any material part of the entity’s normal operations.
- Maintain for a period of five years all records supporting the entity’s annual compliance certificate submitted to DFS (see February 15, 2018 requirements below).
- Maintain documentation of areas requiring material improvement to achieve compliance with the rules and associated remedial efforts, and make such documentation available for inspection by DFS.
By February 15, 2018
- Submit to DFS the initial annual statement of the entity’s board of directors or a senior officer certifying compliance with the rules.
By March 1, 2018
- Perform comprehensive periodic risk assessments of the entity’s information systems and update them as necessary to address changes to systems and business operations.
- CISO has delivered to entity’s board of directors or equivalent governing body the initial annual report on the entity’s cybersecurity program and material cybersecurity risks.
- Implement effective continuous vulnerability monitoring or a combination of annual penetration testing and bi-annual vulnerability assessments.
- Implement multi-factor authentication or a reasonably equivalent control approved by the CISO for individuals remotely accessing the entity’s internal networks.
- Provide regular cybersecurity awareness training for all personnel.
By September 1, 2018
- Maintain audit trails designed to reconstruct material financial transactions and detect certain cybersecurity events, and retain associated records for specified periods.
- Implement procedures and guidelines to ensure secure application development practices.
- Implement limits on data retention periods to ensure secure disposal of certain nonpublic information that is no longer necessary for legitimate business purposes, unless retention is required by law or destruction is not reasonably feasible.
- Develop controls designed to monitor activity of authorized users and to detect unauthorized access to nonpublic information.
- Encrypt nonpublic information in transit and at rest or use effective alternative compensating controls approved by the CISO.
By March 1, 2019
- Implement security policies and procedures to address cybersecurity risk posed by third party service provider.
Several of the rules do not apply to entities with (a) a headcount of fewer than 10 employees/independent contractors, (b) less than $5 million in gross annual revenue for each of the last three fiscal years or (c) less than $10 million in year-end assets. Additionally, entities that do not directly or indirectly use, operate, maintain or control an information system or control, own, access, generate, receive or possess nonpublic information covered by the rules are exempt from several requirements. Employees, agents, representatives and designees of a covered entity are exempt and not required to develop their own cybersecurity program if they are covered by that covered entity’s cybersecurity program. All entities claiming an exemption must submit a notice of exemption to DFS.
For many entities regulated by DFS, the new rules pose a significant compliance challenge with substantial operational and cost impacts. The rules require organizations to do much more than simply update policies and procedures. Many organizations will be required to fundamentally change their governance structure around cybersecurity, increase cybersecurity budgets, potentially add personnel and implement specific technical controls (e.g. encryption-at-rest, multi-factor authentication). Additionally, the rules expose noncompliant entities to DFS fines and penalties and are likely to influence the standard of care applied in negligence and fiduciary duty litigation arising from data breaches experienced by covered entities.
The good news is that compliance with the DFS rules goes a long way toward helping organizations meet cybersecurity standards applied by other regulators. For example, many of the requirements align with guidance from FTC and California’s Attorney General on what constitutes “reasonable security,” and with expectations likely to apply in enforcement actions by the likes of SEC, FINRA and other regulators. In addition, the DFS rules are consistent with industry standard cybersecurity frameworks and controls (e.g., ISO 27001, NIST SP 800-53, CIS Critical Security Controls) that an increasing number of organizations adopt to shore up vulnerabilities, satisfy contractual cybersecurity obligations and meet the expectations of customers and partners. As such, investment in compliance with the DFS cybersecurity rules should yield dividends beyond the realm of DFS regulation in the years ahead.
*Admitted only in Maryland. Practice supervised by principals of the firm admitted in the District of Columbia.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.