The New York State Department of Financial Services (NYDFS) has proposed a new cybersecurity regulation for banks, insurance companies and other financial service companies. The proposed cybersecurity regulation would apply to all entities licensed, required to be licensed, or subject to other registration requirements under New York banking, insurance or financial services laws. The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance. If finalized, the proposed cybersecurity regulation would take effect on January 1, 2017, with a 180-day transitional period for covered companies to come in to compliance. Once effective, covered businesses will be required to annually prepare and submit to the Financial Services Superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations under Section 500.17 commencing January 15, 2018.
The proposed cybersecurity regulation prescribes specific instructions to financial service companies to protect customer information and the information technology systems of regulated companies. The rules require covered companies to establish a cybersecurity program, adopt a cybersecurity policy, designate a chief information security officer (CISO), ensure the security of Nonpublic Information held by third parties, and conduct annual penetration testing and vulnerability assessments and train personnel on cybersecurity, among other requirements.
Breach Notification Requirement. Notably, the regulation imposes a breach notification deadline of 72 hours for the breach of “Nonpublic Information,” which covers a broader category of customer information than most state data breach notification laws. If this Nonpublic Information were potentially, or actually, tampered with, accessed or used in an unauthorized manner, the covered business must report the incident to the Financial Services Superintendent.
The regulation defines “Nonpublic Information” as including any business information that, if tampered with, “would cause a material adverse impact to the business, operations, or security of the Covered Entity”; any information that an individual provides to the covered business “in connection with seeking or obtaining any financial product or service” from the covered business, or information about an individual resulting from the provision of such product or service; “any information, except age or gender, that is created by, derived or obtained from a health care provider or an individual that relates” to any health condition of an individual (or the health condition of family or household members) or payment for health care; and “[a]ny information that can be used to distinguish or trace an individual’s identity,” including Social Security number, date and place of birth, mother’s maiden name, as well as an individual’s educational, financial, occupational or employment information, information about an individual used for marketing purposes, and any password or other authentication factor, among other data elements.
With respect to some of the new requirements, a covered business must comply with the regulation in the following ways:
Cybersecurity Program. A covered business must establish a cybersecurity program “designed to ensure the confidentiality, integrity and availability” of the covered business’s information systems. The cybersecurity program must be designed to perform five core functions:
- Identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the covered business’s information systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed;
- Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
- Detect Cybersecurity Events;
- Respond to identified or detected Cybersecurity Events to mitigate any negative effects;
- Recover from Cybersecurity Events and restore normal operations and services; and
- Fulfill all regulatory reporting obligations.
Cybersecurity Policy. At a minimum, the cybersecurity policy must address information security, data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; risk assessment and incident response. The cybersecurity policy must be reviewed by the board of directors and approved by a senior officer.
Chief Information Security Officer (CISO). The CISO must oversee and implement the covered business’s cybersecurity program, and report to the board, at least bi-annually, to assess the confidentiality, integrity and availability of information systems; detail exceptions to cybersecurity policies and procedures; identify cyber risks; assess the effectiveness of the cybersecurity program; propose steps to remediate any inadequacies identified; include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
Third Party Service Providers. Regulated entities who allow their vendors to access Nonpublic Information will now have to engage in appropriate risk assessment, implement written policies and procedures concerning the minimum cybersecurity practices for vendors, and conduct due diligence processes of third-party vendors and an annual assessment of third-party vendors’ cybersecurity practices. The policies and procedures must include “establishing preferred provisions to be included in contracts with third party service providers,” including provisions that address access to Nonpublic Information, data encryption, audit rights, and breach notice, among others.
Other requirements include employment and training of cybersecurity personnel, developing an incident response plan, timely destruction of Nonpublic Information, monitoring of unauthorized users, and encryption of all Nonpublic Information. In announcing the proposal, NYDFS Superintendent Maria Vullo stated, “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.” While larger banks and insurance companies have built cybersecurity programs following recent and highly publicized intrusions, the proposed regulation will require smaller entities to develop robust cybersecurity programs even when those entities do not have experience with a cybersecurity event.
Banks, insurance companies and other financial service companies should closely monitor the 45 day public comment period and monitor any proposed changes that may result in the regulation during this period. Once the proposed cybersecurity regulation is finalized, covered businesses should quickly consider the following steps as soon as possible in order to maximize the 180 transitional period for covered companies to come in to compliance:
- Engage experienced outside counsel under the attorney client privilege along with information security experts to conduct a comprehensive legal and security risk assessment to evaluate current compliance against the finalized regulation;
- Immediately identify and evaluate the efficacy of the technology and data security controls currently in use to safeguard Nonpersonal Information and develop additional policies and processes in the event new controls are necessary under the finalized rule;
- Establish an internal working group and work with qualified outside counsel and security consultants to create and develop a comprehensive audit plan for the cybersecurity programs, policies and procedures that may be required under the finalized rule.
- Covered businesses should review existing third party vendor contracts with counsel and work to develop and then negotiate a contractual addendum that will comply with the finalized regulations’ requirements.