The New York State Department of Financial Services ("DFS") proposed a first-of-its-kind cybersecurity regulation aimed at protecting consumers and financial institutions from cyber-attacks ("Regulation"). The new Regulation, announced by Governor Andrew Cuomo, covers all banks, insurers, and other financial services institutions under DFS's jurisdiction. It creates new requirements for banks and insurers ("Covered Entities") to establish and maintain robust controls to protect IT systems against unauthorized access and other malicious acts. Among the list of requirements, three must be carefully considered.
One, Covered Entities must notify DFS within 72 hours after becoming aware of a cybersecurity event involving an information system. This affords Covered Entities little time to assess the scope or impact of a security incident, and will impose significant organizational burdens on legal, compliance, and IT security personnel charged with formally responding.
Two, while many insurers already have robust policies and controls to protect the integrity of sensitive personal information (e.g., name combined with Social Security numbers, account or policy numbers), the new key term under the Regulation for legal and regulatory notices is, Nonpublic Information. Nonpublic Information is now a broad term that includes any electronic information that:
- would cause a material adverse impact to the business, operations, or security of a Covered Entity;
- an individual provides to a Covered Entity in connection with seeking or obtaining any financial or insurance product or service;
- any information derived or obtained from a health care provider about an individual's past, present, or future physical, mental, or behavior health condition, except age or gender; and
- can be used to distinguish or trace an individual's identity, including elements such as name, date or place of birth, mother's maiden name, employment information, or information used for marketing purposes.
Three, Nonpublic Information held or transmitted must be encrypted both in-transit and at rest. Considering the broad nature of the term, Nonpublic Information, this will have important implications that need to be considered carefully. Covered Entities will also have one year (until January 2018) to deploy encryption of Nonpublic Information in transit, and five years (until January 2022) to encrypt all Nonpublic Information at rest. These requirements may pose practical challenges for some organizations due to the age and configurability of legacy systems, common concerns about latency, and the significant costs associated with undertaking a system-wide deployment.
We provide more details on the new requirements below, along with important timelines for convenient reference. A link to the Regulation can also be found here: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf
New Cybersecurity Requirements
- Establish a cybersecurity program. The program must perform core cybersecurity functions to help protect the confidentiality, integrity, and availability of information systems, including: identification of cyber risks; implementation of policies and procedures to protect against unauthorized access/use or other malicious acts; detection of cybersecurity events; response to and mitigation of identified cybersecurity events; cybersecurity event recovery and restoration of operations; and fulfillment of all regulatory reporting obligations.
- Adopt a cybersecurity policy. A written cybersecurity policy must set forth the business's policies and procedures for protecting information systems and Nonpublic Information stored on such systems. The policy must address a number of specific areas, including: information security; data governance and classification; access controls and identity management; risk assessment; vendor/service provider management; and incident response.
- Event reporting. The Superintendent of DFS must be notified of certain cybersecurity events. The events must be reported as promptly as possible and within 72 hours after the business becomes aware of the event.
- Designate a CISO. A qualified individual must be appointed to serve as the chief information security officer ("CISO"). The CISO is responsible for oversight and implementation of the business's cybersecurity program and enforcement of its cybersecurity policy. The CISO must report to the board, on at least a bi-annual basis, to address specific cybersecurity issues identified by the Regulation.
- Service providers. Information security policies and procedures must be in place to address third parties, including at least the following: identification and risk assessment of third parties that maintain or have access to information systems and/or Nonpublic Information; minimum cybersecurity practices for third parties; due diligence processes to evaluate third parties' cybersecurity practices; and at least annual assessment of third parties' cybersecurity practices.
- Compliance Certification to DFS. The Board of Directors or a senior officer must provide DFS with a written certification of compliance annually by January 15, and the business must retain documentation supporting the certification for five years.
- Other controls. In addition to the above, the Regulation imposes a number of additional controls that businesses must implement, including: annual penetration testing and vulnerability assessments; audit trails; access privileges; application security; annual risk assessment; employment and training of cybersecurity personnel; multi-factor authentication; data retention limitations; user training and monitoring; encryption of all Nonpublic Information; and an incident response plan.
Next Steps and Compliance Timelines
Following its publication in the New York State Register on September 28, 2016, the proposed Regulation will be subject to a 45-day public notice and comment period. The final Regulation will then be issued after this period, and become effective on January 1, 2017. Businesses will then have a 180 day transitional period to come into compliance (with longer periods allowed for some requirements, like encryption). Businesses must begin to submit their certification of compliance to DFS on January 15, 2018.