August 28, 2017, marks the first of several rapidly approaching implementation deadlines for “covered entities” subject to the new cybersecurity regulations promulgated in March by the New York Department of Financial Services (NYDFS). With a few limited scope exemptions based on size, revenue, assets and structure, 23 NYCRR Part 500 establishes minimum cybersecurity requirements for approximately 4,500 DFS regulated licensees, and the sweeping new rules will de facto extend to third-party service providers and authorized users beyond the Empire State’s borders.
New Requirements for Covered Entities
At their core, the new regulations will require each covered entity to maintain a formal, documented cybersecurity program designed to protect the confidentiality, integrity and availability of its information systems and nonpublic information. The program will be expected to identify, detect, assess, protect, respond and recover from cybersecurity events, and must be made available to the NYDFS superintendent upon request. Although covered entities will be free to design their own programs or hire third-party experts, the requirements include, at a minimum: (i) designation of a qualified Chief Information Security Officer (CISO); (ii) employee training programs; (iii) periodic penetration testing; (iv) periodic risk assessments; (v) multi-factor authentication; (vi) audit trails; (vii) application security; (viii) data retention practices; (ix) monitoring of authorized and unauthorized users; and (x) encryption of certain non-public information. Covered entities’ senior management will be required to certify compliance on an annual basis, starting no later than February 15, 2018, and must commit to notify NYDFS of “reportable” events as promptly as possible and in no event later than 72 hours from a determination of reportability.
New Guidelines for Doing Business with Covered Entities
The regulations further require covered entities to develop written policies and procedures to govern information accessible to, or held by, third-party service providers. Although based on the same risk assessment that underlies the covered entity’s own required cybersecurity program and policy, the third-party service provider guidelines are only required to address, to the extent applicable: (i) access controls; (ii) multi-factor authentication; (iii) encryption; (iv) notices; and (v) representations and warranties. In a subsequent FAQ document, NYDFS has indicated that it is incumbent upon the covered entity to make a risk assessment regarding the appropriate controls for third-party service providers “based on the individual facts and circumstances presented.” In effect, the regulation indirectly compels any third-party service provider anywhere to conform in order to do business with a New York bank, insurance company, or other regulated financial institution because they are held to the covered entity standard.
The First Domino to Fall, Certainly not the Last
Although NYDFS was the first U.S. financial regulator to enact cybersecurity regulations, recent months have seen data security proposals from regulators in Colorado and Vermont, and earlier this week, the National Association of Insurance Commissioners (NAIC) Innovation and Technology Task Force voted to adopt the new Insurance Data Security Model Act which includes many provisions similar to the NYDFS regulation. The model act will be considered by state legislatures, many of which may have already enacted general cyber/data protection laws, over the next several years, so the development of systems and standards for the protection of insurance company and consumer data is certain to remain a hot-button in the U.S. as well as in the international insurance market.
Additional Upcoming Deadlines from NYDFS Regulation
September 27, 2017 – Deadline for filing notices seeking limited exemptions.
February 15, 2018 – Deadline for submission of first certification of compliance.
March 1, 2018 – Deadline for full compliance with CISO reporting, penetration testing, risk assessment, multi-factor authentication, and training program provisions.
September 3, 2018 – Deadline for full compliance with audit trail, application security, data retention, user monitoring, and encryption provisions.
March 1, 2019 – Deadline for full compliance with third-party vendor provisions.