On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) “Cybersecurity Requirements for Financial Services Companies,” 23 NYCRR 500 (the “Regulations”), went into effect. The final version of the Regulations, originally proposed on September 28, 2016, are relatively unchanged from the revised version announced on December 28, 2016 and are available here. Touted by Governor Cuomo as the “first in the nation” state cybersecurity regulations, the Regulations impose stringent requirements on New York’s financial institutions.
Who is Covered?
The Regulations apply to “Covered Entities,” which includes any individual or non-governmental entity required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Consequently, a financial institution may be subject to the Regulations despite not being incorporated or having its principal place of business in New York.
Summary of the Regulations
Covered Entities are required to conduct periodic risk assessments and, using those assessments, create a cybersecurity program to: (a) identify risks to “Nonpublic Information” stored on the Covered Entity’s information systems, (b) use defensive infrastructure and implement policies and procedures to protect the Covered Entity’s information systems and Nonpublic Information, (c) detect successful or unsuccessful attempts to gain access to, disrupt or misuse information systems or data stored on them (each, a “Cybersecurity Event”), (d) recover from Cybersecurity Events, and (e) fulfill regulatory reporting requirements.
One of the key elements of the Regulations is the scope of the data required to be protected. Nonpublic Information (“NPI”) is very broadly defined and includes not only personally-identifiable information (such as a client’s name or social security number), but also any electronic information the disclosure of which “would cause a material adverse impact to the business operations or security of the Covered Entity” (for example, employee complaints about Covered Entity management).
The cybersecurity program must be implemented and enforced by a “qualified” chief information security officer (“CISO”), who is required to provide an annual report to the Covered Entity’s board of directors or management group. The Regulations also require Covered Entities to undertake the following:
- Annual periodic penetration testing and bi-annual vulnerability assessments reasonably designed to identify publicly known cybersecurity vulnerabilities based on the Covered Entity’s annual risk assessment;
- Maintain an audit trail designed to detect and respond to likely cybersecurity threats and reconstruct material financial transactions (and maintain records of such transactions for at least five years);
- Limit and periodically review user access privileges to information systems that provide access to NPI;
- Ensure the use of secure development practices for internally and externally-developed applications used within the context of the Covered Entity’s technology environment;
- Implement written policies and procedures addressing minimum cybersecurity practices and due diligence and periodic assessments of third-party service providers granted access to the Covered Entity’s information systems or holding its NPI;
- In addition to a CISO, engage qualified cybersecurity personnel (which may be employees of an affiliate or other third party) and provide such personnel with cybersecurity training and updates;
- Provide regular cybersecurity awareness training for all Covered Entity personnel;
- Make use of effective access controls (such as multi-factor authentication) and encryption of NPI;
- Dispose of NPI that is no longer needed for the Covered Entity to conduct business operations;
- Prepare a Cybersecurity Event written response plan; and
- Notify the DFS Superintendent within 72 hours of a Cybersecurity Event that is either required to be reported to another regulator or that is reasonably likely to materially harm operations.
Emphasizing the increased importance of senior management accountability for cybersecurity, the Regulations require a Covered Entity’s board of directors or senior security officer to submit to the DFS Superintendent an annual certificate of compliance, starting on February 15, 2018.
Section 19 of the Regulations carve out compliance exemptions for certain Covered Entities, including smaller Covered Entities with (a) fewer than 10 employees or independent contractors, (b) less than $5 million in gross revenue from New York operations in each of the past three years, or (c) less than $10 million in year-end total assets. Other Covered Entities eligible for a compliance exemption include captive insurance companies and entities that do not (directly or indirectly) operate, maintain, utilize or control information systems.
It is important to note, however, that the exemptions in Section 19 only apply to some, but not all, of the Regulations. For example, while the aforementioned Covered Entities are not required to designate a CISO, they must still conduct annual risk assessments, promulgate vendor security policies, maintain limits on data retention and inform the DFS Superintendent of Cybersecurity Events. In addition, the smaller Covered Entities described above are still required to promulgate cybersecurity programs and policies and limit user access privileges.
Given New York is home to a large number of financial institutions, the Regulations are expected to impact a wide array of businesses, including many of those institutions’ service providers (who should be prepared to receive cybersecurity questionnaires from their clients). The DFS has introduced transitional periods for Covered Entities to comply with the Regulations, with compliance for certain provisions required by August 28, 2017, and full compliance required by March 1, 2019.