On March 1, 2017, the New York Department of Financial Services (the DFS) published a notice of adoption of its final cybersecurity regulation (the Final Regulation). The regulation was first announced with much fanfare by New York Governor Andrew Cuomo in September 2016 as the first-in-nation cybersecurity regulation to protect consumers and financial institutions. A substantially revised proposal was published in December 2016.
The Final Regulation became effective on March 1, 2017, and entities subject to the regulation have 180 days from this effective date to comply, although the regulation allows additional time to comply with certain requirements.
The regulation does more than promote the protection of nonpublic information of consumers. It requires insurance companies, insurance agents and brokers, banks, and other financial services providers regulated by the DFS (Covered Entities) to conduct risk assessments of their information technology (IT) systems and maintain a cybersecurity program based on that assessment, and imposes a number of standards and requirements for governance and operation of the IT systems. Moreover, the regulation does not cover just New York domiciliaries. Instead, it extends its reach to individuals and entities that are not domiciled in New York, but are operating under or required to operate under a New York license, registration, charter or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.
The notice of adoption includes the Department’s responses to public comments it received, as required by state law. Addressing comments submitted in response to the December 2016 revised proposal, DFS made a few notable changes and several other minor changes.
Of particular interest to the insurance industry, certain classes of insurers—namely accredited reinsurers, certified reinsurers, non-domestic risk retention groups, and charitable annuity societies—are now fully exempt from the Final Regulation, provided such entities do not otherwise qualify as Covered Entities. Further, the DFS has added a limited exemption for captive insurance companies. These exemptions and other important revisions to the Final Regulation are discussed below. (For more details about additional key provisions and the development of the regulation, please see our Legal Alerts: NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies and NY DFS Publishes Revised Proposed Cybersecurity Rules for Financial Services Companies.)
- Cybersecurity Program
Under the Final Regulation, a Covered Entity can now comply with the cybersecurity program requirements by adopting “relevant and applicable provisions of a cybersecurity program maintained by an Affiliate,” so long as those provisions satisfy the Final Regulation’s requirements. While the proposed version of the regulation also permitted a Covered Entity to adopt a cybersecurity program maintained by an Affiliate, it did not specify that the Covered Entity need only adopt the relevant and applicable provisions of the program. The DFS stated that these revisions were made to the Final Regulation to address commenters’ requests for clarification regarding the allocation of responsibilities under this provision.
- Audit Trail
As was the case under the previous proposed version, the Final Regulation requires Covered Entities to securely maintain systems that: (1) “are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity”; and (2) “include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” Yet, the DFS did modify the audit trail record retention requirements. The previous proposed version of the regulation mandated all records required by this section to be maintained for five years. Acknowledging that commenters found this record retention standard to be overly broad, the DFS reduced the record retention period to three years with respect to records required in connection with item (2) above, but retained the five-year record retention requirement with respect to records required in connection with item (1).
- Notices To Superintendent
Although commenters sought more significant revisions to the notice provisions, including narrowing the scope of the notice requirements, extending the 72-hour reporting timeframe, and eliminating the annual certification requirement, the notice provisions in the Final Regulation remain largely unchanged, but do resolve ambiguities that were present in the previous proposed version of the regulation. First, the Final Regulation clarifies that a Covered Entity must notify a superintendent within 72 hours from a determination that either of the following has occurred: (1) “Cybersecurity Events impacting the Covered Entity of which notice required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (2) “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” As previously drafted, it was unclear whether notice had to be provided when either (1) or (2) had occurred, or, alternatively, only when both (1) and (2) had occurred. The Final Regulation makes clear that it requires the former. Next, the DFS removed any potential confusion about the scope of the annual certification requirement by stating in the Final Regulation that the annual certification covers the prior calendar year.
The proposed versions of the regulation left many commenters wondering whether the regulation would apply to entities and activities that are not typically regulated by the DFS. In the Final Regulation, the DFS added some exemptions and modified others in an attempt to keep the application of the Final Regulation within the DFS’s traditional regulatory boundaries. Specifically, as noted above, accredited reinsurers, certified reinsurers, non-domestic risk retention groups, and charitable annuity societies are completely exempted from the Final Regulation, provided such entities do not otherwise qualify as Covered Entities. Additionally, these entities do not need to file a notice of exemption, which must be submitted to the DFS when qualifying for other exemptions under the regulation.
The Final Regulation also provides a limited exemption for captive insurance companies, which exempts captive insurers from many of the regulation’s requirements, including the technical cybersecurity program and policy requirements, the audit trail requirements, and the multifactor authentication requirements. Captive insurers must submit a notice of exemption to the DFS and still must comply with the requirements relating to risk assessments, third party service provider security policies, limitations on data retention, and notices to the DFS.
Further, the Final Regulation retains the exemptions found in the proposed version, while clarifying eligibility for certain exemptions. Under the Final Regulation, a Covered Entity is eligible for the gross-annual-revenue limited exemption when “New York business operations of the Covered Entity and its Affiliates” do not exceed $5 million in gross annual revenue, and a Covered Entity is eligible for the under-10-employees limited exemption when the Covered Entity and its Affiliates have fewer than 10 employees (including any independent contractors) that are located in New York or are responsible for the business of the Covered Entity. However, the DFS did not address the scope of the term “independent contractor” despite requests to limit it to contractors providing services relevant to insurance operations.