On September 13, 2016, the New York State Department of Financial Services (the “DFS”) issued a proposed rule implementing cybersecurity requirements for financial services companies in New York. Entities covered by the rule include any person or company required to operate under a charter, license, registration, or similar authorization under New York banking, insurance, or financial services law, which designation would include money transmitters licensed by the DFS.
Requirement for a Cybersecurity Program and Policy
The proposed rule requires covered entities to establish and maintain a cybersecurity program “designed to ensure the confidentiality, integrity and availability” of the entity’s information systems by performing the following core cybersecurity functions: (i) identification of cybersecurity risks; (ii) implementation of policies and procedures to protect against unauthorized access or use or other malicious attacks; (iii) detection of cybersecurity events, which are defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an entity’s information systems; (iv) responsiveness to identified or detected cybersecurity events in order to mitigate negative effects of the same; (v) recovery from cybersecurity events; and (vi) fulfillment of all regulatory reporting obligations.
Further, each covered entity is required to implement and maintain a written cybersecurity policy setting forth policies and procedures for the protection of its information systems and non-public information, which is defined to include both confidential business information, the disclosure of which would materially harm the business, and certain personal information about an individual. The cybersecurity policy must address, at a minimum, the following: (i) information security; (ii) data governance and classification; (iii) access controls and identity management; (iv) business continuity and disaster recovery; (v) capacity and performance planning; (vi) systems operations and availability concerns; (vii) systems and network security; (viii) systems and network monitoring; (ix) systems and application development and quality assurance; (x) physical security and environmental controls; (xi) customer data privacy; (xii) vendor and third-party service provider management; (xiii) risk assessment; and (xiv) incident response. The cybersecurity policy must be reviewed by the entity’s board of directors (or its equivalent) and approved by a senior officer of the entity at least annually.
Requirement for a Chief Information Security Officer
Under the proposed rule, each covered entity is required to designate a qualified individual to serve as the Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the entity’s cybersecurity program and enforcing its cybersecurity policy. Notably, in lieu of designating or hiring a CISO, a covered entity may appoint a non-employee third party as its de facto CISO, provided that the covered entity (i) maintains oversight and responsibility for compliance with the proposed rule; and (ii) designates a senior employee as responsible for oversight of the third-party CISO. The CISO must prepare a report for the covered entity’s board of directors (or equivalent) at least bi-annually, which report must address risks to the entity and effectiveness of the cybersecurity program, including remediation proposals and a summary of all material cybersecurity events affecting the entity during the period covered by the report.
Special Requirements for Third-party Service Providers
The proposed rule also requires covered entities to implement policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by, third-party service providers. At a minimum, these policies and procedures must identify third parties with access to information systems or non-public information, and include a risk assessment of the same; set forth minimum cybersecurity practices required to be met by such third parties; and address the due diligence processes used to evaluate the adequacy of cybersecurity practices of such third parties. Covered entities must also conduct an assessment of the cybersecurity practices of such third parties at least annually.
Additionally, covered entities must ensure that provisions addressing specific cybersecurity concerns, as set forth in the proposed rule, are included in all agreements with third-party service providers.
Encryption Required for All Non-public Information Held or Transmitted
As part of its cybersecurity program, each covered entity must encrypt all non-public information (which is defined to include confidential business information, the disclosure of which would materially harm the business, as well as certain personal information about an individual) held or transmitted by the entity. Covered entities have one year from the regulation’s effective date to comply with this requirement for transmitted data, and five years to comply with the regulation as it relates to data at rest, provided sufficient compensating controls are employed in the meantime.
Additional Requirements under the Proposed Rule
In addition to the above provisions, each cybersecurity program must provide for the following:
- Annual penetration testing and vulnerability assessments;
- Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges;
- Limitations and periodic reviews of access privileges;
- Written application security procedures, guidelines, and standards that are reviewed and updated by the CISO at least annually;
- An annual risk assessment of the covered entity’s information systems;
- Employment and training of cybersecurity personnel, though non-employee third parties may be used in this role, pursuant to the same conditions noted above for use of a third-party CISO;
- Multi-factor authentication for individuals accessing internal systems remotely, or who have privileged access;
- Timely destruction of non-public information that is no longer necessary, except where required by law;
- Monitoring of authorized users and cybersecurity training for all personnel; and
- A written incident response plan.
Each covered entity is also required to provide certain notices to the Superintendent of Financial Services, including reports following cybersecurity events (defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an entity’s information systems) and an annual statement of compliance.
Limited Exemption Based on Volume
The proposed rule includes a limited exemption for covered entities that meet all of the following requirements: (i) fewer than 1000 customers in each of the last three years; (ii) less than $5,000,000 in gross annual revenue in each of the last three years; and (iii) less than $10,000,000 in year-end total assets, including assets of all affiliates. Such entities are exempt from certain provisions of the proposed rule, but must still implement a cybersecurity program and written policies, among other requirements.
The proposed rule was published in the New York state register on September 28, 2016; there is a 45-day public comment period. If adopted, the rule will become effective January 1, 2017. Covered entities, including money transmitters licensed in New York, should review their existing cybersecurity programs to ensure compliance with the proposed rule, or prioritize adopting a compliant cybersecurity program ahead of the rule’s effective date.
It is important to note that, in the event a licensed money transmitter appoints a CISO, certain states may consider that individual to be a control person under the state money transmission statutes. Such a determination would require the CISO to provide his or her biographical and/or financial information to the state for vetting and background check, usually within a relatively short time period following the appointment, or, in the case of at least one state, ahead of the appointment. To that end, it may make sense for licensed money transmitters who are considering appointing a CISO to contact the state banking departments and seek a determination of whether a CISO would be considered a control person under each state’s provisions.