For thousands of financial institutions and insurance companies covered by New York DFS’s sweeping data security regulation, the countdown to yet another deadline has begun. Those companies will remember last August, when DFS’s first transition period ended, and the same companies know that they had to first certify their compliance with the regulation to DFS only months ago, in February.
Now, companies covered by the regulation should keep their eye on another fast-approaching deadline: September 3, 2018, when the regulation’s 18-month transitional period ends. As of that date, covered companies must be in compliance with the regulation’s requirements regarding audit trails (§500.06), application security (§500.08), data retention limitations (§500.13), access monitoring (§500.14(a)), and encryption of non-pubic information (§500.15). Companies will need to comply with the following requirements in just more than 90 days:
At a minimum, a covered company must implement, “to the extent applicable and based on its Risk Assessment,” an audit trail system designed to track and maintain data “to reconstruct material financial transactions sufficient to support normal operations and obligations,” as well as to detect and respond to cybersecurity events. These audit trail records must be retained for at least five years for material financial transactions, and three years with respect to cybersecurity events. While many institutions no doubt maintain transaction data, this requirement will likely require most to revisit their process for data capture to ensure an adequate reflection of a transaction’s lifecycle, as well as to produce records of potential intrusions and/or losses.
As of September 3, all companies covered by the regulation will also be required to have in place “written procedures, guidelines and standards” calculated to ensure “secure development practices” for software developed in-house and used by the company in its business. Companies must also have procedures in place “for evaluating, assessing or testing the security of externally developed applications” (i.e., third-party software) used in the company’s “technology environment.” These policies are subject to periodic review by the company’s chief information security officer or CISO.
In contrast to the regulation’s requirement that companies maintain an audit trail, there are limitations on the data retention allowed. Covered companies must implement policies and procedures for the timely destruction of non-public data that is “no longer necessary for business operations or for other legitimate business purposes.” While this requirement will require companies to consider the data they store (and for how long), companies may continue to retain data when it is otherwise required by law or regulation “or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”
Companies must have in place “procedures and controls designed to monitor the activity” of authorized users of the company’s systems, as well as controls specifically directed at detecting “unauthorized access or use of, or tampering with” non-public information by such authorized users. While some companies may have such policies in place, these policies and procedures will be required (as of September 3) as part of the company’s cybersecurity program, and must provide for the detection of unauthorized data use by authorized system users (as opposed to detection of unauthorized use by unauthorized users).
Finally, based on “its Risk Assessment,” covered entities must have “controls” in place to protect non-public information both in transit and at rest. For DFS’s purposes, the “default” measure to protect such information is encryption. However, if encrypting non-public information is not feasible, covered entities may use “alternative compensating controls” to secure the information with the review and approval of the CISO. But if an entity chooses to use “alternative compensating controls” rather than encryption, “the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.”
Given the difficulties faced by some companies in complying with DFS’s new cyber regime, companies – and their boards – would be well-advised to stay on track for compliance as this new deadline draws near.