Proposed Regulation – New York Department of Financial Services (DFS) Cybersecurity Requirements for Financial Services Companies
On December 28, 2016, the New York State Register published the New York Department of Financial Services (the “DFS”) revised proposal for the Cybersecurity Requirements for Financial Services Companies (“Revised Proposed Regulations”). Similar to the original proposed Rule, the Revised Proposed Regulations would require banks, insurance companies, and other financial services institutions regulated by the DFS (“Covered Entities”) to establish and maintain a cybersecurity program.
This is part of a larger movement recognizing that companies have a responsibility to better protect the private information of customers and the critical information systems on which these customers rely. If adopted, New York would be the first state to mandate such cybersecurity requirements by law.
There were multiple differences between the Revised Proposed Regulations published on December 28th and the original proposed regulations including:
- Narrowing the definition of “nonpublic information”;
- Requiring periodic risk assessments instead of annual;
- Changing the Chief Information Security Officer (“CISO”) certification from bi-annually to annually; and
- Providing additional time for complying with certain sections of the final regulation.
The DFS has granted an additional 30-day comment period (ending January 27th) on the Revised Proposed Regulations, after which they will issue the final regulation.
The Revised Proposed Regulations apply to all Covered Entities that are "required to operate in New York under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law”. Only very small institutions with fewer than ten employees, less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in assets are exempt from certain requirements – these institutions are required to certify that they qualify for the exemption.
Currently, the Revised Proposed Regulations are scheduled to go into effect March 1, 2017. They contain, however, expanded transition periods for compliance as follows:
Compliance within 180 days of March 1, 2017:
- Develop a cybersecurity program
- The Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The Program should be based on the Covered Entity’s initial Risk Assessment.
- Implement written cybersecurity policies approved by either a senior officer or the Board of Directors
- The policy should be based on the initial Risk Assessment and address many areas including information security, data governance, and systems and network security.
- Review access privileges
- Each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges
- Designate a Chief Information Security Officer who reports to the Board of Directors
- The regulation requires each Covered Entity to designate a qualified individual known as the Chief Information Security Officer (CISO) who is responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing the cybersecurity policy. The CISO can be employed by the Covered Entity, an Affiliate, or a Third Party Service Provider. The Revised Proposed Regulations require the CISO to certify annually that the cybersecurity program meets the requirements.
- Develop a cybersecurity incident response plan
- The Plan is designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems.
- Begin generating required reports of cybersecurity events to the DFS
Compliance within one year of March 1, 2017:
- Perform a risk assessment of information systems: each Covered Entity shall conduct a periodic Risk Assessment of its Information Systems to inform the design of the cybersecurity program and shall be updated as reasonably necessary to address any changes.
- Implement multi-factor authentication for external access to internal databases and privileged access to nonpublic information: authentication shall be utilized for any individual accessing the Covered Entity’s internal network from an external network, unless written approval is given.
- Begin cybersecurity training for all personnel
Compliance within eighteen months of March 1, 2017:
- Develop audit trail systems to track and maintain data to allow for reconstruction of all financial transactions and accounting necessary to detect and respond to a cybersecurity event
- Establish a data retention policy to ensure the secure disposal of nonpublic data
- Develop written policies and procedures to ensure the security of in-house developed applications
- Establish policies and procedures to monitor the activity of authorized users, detect unauthorized access, and encrypt (or impose alternative controls to protect) nonpublic information
Compliance within two years of March 1, 2017:
- Establish written policies and procedures to ensure the security of data that is accessible to or held by third party service providers
As the comment period comes to a close on the latest draft of the regulation, Covered Entities should begin to assess their status among the modified requirements from DFS. Further, Covered Entities should evaluate the requirements of the final rule in the context of the entity’s implementation of other requirements impacting cybersecurity, including Federal Interagency Guidelines on Establishing Information Security Standards, Federal Financial Institutions Examination Council’s (FFIEC) Information Security Booklet, and New York State’s data breach laws.
Although further changes to the rule are probable, firms can be certain the development and installment of a comprehensive cybersecurity program will be required by all non-exempt entities. For Covered Entities that have not already developed a comprehensive cybersecurity framework, action should begin now to establish components not currently in place.
- The new DFS requirements will be the first of its kind in the United States and will require entities to develop a comprehensive cybersecurity program
- Covered Entities can leverage their existing cybersecurity framework to assess the current state and implement new policies and processes where cybersecurity deficiencies exist
- With the comment period closed as of January 27th, Covered Entities should begin reviewing the revised requirements before the announcement of the final rules in the coming weeks