On September 13, 2016, New York Governor Andrew Cuomo announced a proposal by the New York Department of Financial Services (the DFS) of a rule that establishes cybersecurity requirements for financial services companies regulated by the DFS (the NY Regulation). The NY Regulation is the culmination of three years of work by the DFS to prioritize cybersecurity oversight.
Background. In 2013, the DFS surveyed 150 regulated banking organizations concerning cybersecurity programs, costs and future plans and then followed up by surveying 43 insurance companies about their cybersecurity programs. Findings were published in 2014 and 2015. In November 2015, the DFS wrote to various federal agencies with oversight over financial institutions, informing them that there was a demonstrated need for robust regulatory action in the cybersecurity space and that the DFS was working on a regulation to increase cybersecurity defenses within the financial sector. The DFS outlined what it expected its regulation would require.
Meanwhile, in 2015, the National Association of Insurance Commissioners (NAIC) formed a Cybersecurity Task Force that has been working on an Insurance Data Security Model Law (Model Law). The Task Force plans to complete the Model Law by year end.
The DFS has now presented its proposal. If adopted as proposed, the NY Regulation would become effective on January 1, 2017, and entities subject to the regulation would have 180 days from this effective date to comply. A notice of proposed rulemaking (NOPR) has not yet been published in the New York State Register (the Register), but is expected to be published in the September 28 issue. A 45-day comment period starting on September 28 would end on November 12, 2016.
Summary. While the NY Regulation has many of the same features as the NAIC’s Model Law, the NY Regulation imposes far more particularized cybersecurity requirements. While the framework from the November 2015 outline was kept intact, the NY Regulation contains a number of changes and additions. Notable among them are requirements for annual risk assessments that include annual penetration testing and quarterly vulnerability assessments, specific requirements for access privileges, data retention, encryption of nonpublic information, and a requirement for vendors to provide identity protection services for customers affected by a breach caused by their negligence or willful misconduct (this is in lieu of a broad indemnity, which the DFS indicated in the framework would be required).
Key takeaways from the proposed NY Regulation include:
- Applicability to “Covered Entities”
The NY Regulation applies to “Covered Entities,” which are defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.”
- Protection of “Nonpublic Information” and “Information Systems”
The requirements and standards in the NY Regulation emphasize the protection of “Nonpublic Information” and the Covered Entity’s “Information Systems.” “Nonpublic Information” applies to both information concerning natural persons regardless of whether such persons are customers and a Covered Entity’s “business related information” if unauthorized disclosure of or tampering with the information would cause a material adverse impact on the Covered Entity.
- Cybersecurity Program
All Covered Entities must implement a cybersecurity program that includes a risk assessment. The program must include:
- Annual penetration testing;
- Quarterly vulnerability assessments;
- Audit trail systems;
- Limitations to access privileges;
- Personnel training and monitoring;
- Encryption of Nonpublic Information both when in transit and at rest (although a five-year phase-in period is allowed under specified circumstances);
- A written incident response plan;
- Policies and procedures for the timely destruction of Nonpublic Information that is no longer necessary for the provision of the products and services for which it was supplied; and
- Procedures to ensure that applications utilized by the Covered Entity are secure.
Unlike the Model Law, the NY Regulation does not explicitly authorize an entity’s cybersecurity program to be commensurate with its size and complexity, the nature and scope of its activities or the sensitivity of the information in its holds or processes. Instead, the NY Regulation exempts from certain rules those entities with: (1) fewer than 1,000 customers in each of the last three calendar years, (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles (GAAP), including the assets of affiliates.
- Management Oversight
A Covered Entity must have a written cybersecurity policy, which must be reviewed by the Covered Entity’s board of directors and approved by a senior officer of the Covered Entity at least annually.
- Chief Information Security Officer
In connection with the cybersecurity program and cybersecurity policy, the NY Regulation directs Covered Entities to designate a Chief Information Security Officer (the CISO). The CISO is responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy, and must report to the board at least biannually. Additionally, the Covered Entity must employ cybersecurity personnel sufficient to manage the Covered Entity’s cybersecurity risks and to perform the core cybersecurity functions.
- Third-Party Information Security Policy
The NY Regulation instructs each Covered Entity to implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information accessible to, or held by, third parties doing business with the Covered Entity. Such policies and procedures must include establishing preferred provisions in contracts with third-party service providers that cover topics such as the required use of encryption of data both in transit and at rest, the right to perform cybersecurity audits, and certain representations and warranties.
- Multi-Factor Authentication
The NY Regulation requires multi-factor authentication and risk-based authentication in certain circumstances.
- Reports and Notices to the DFS Superintendent
Under the NY Regulation, a Covered Entity must submit annual reports to the Superintendent certifying its compliance with the regulation. It also must notify the Superintendent of any cybersecurity event that has a “reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” Notice must be given as promptly as possible, but not later than 72 hours after becoming aware of an event. A Covered Entity also must provide a report to the Superintendent within 72 hours whenever it has identified a material risk of imminent harm relating to the cybersecurity of the entity.