The New York Department of Financial Services has implemented a cybersecurity regulation whose first compliance deadline is August 28, 2017. The New York rule is quite a bit more detailed than recent Colorado and Vermont rules, requiring the appointment of a Chief Information Security Officer (CISO) and at least biannual vulnerability assessments.
The New York Department of Financial Services is not the securities regulator in New York. So broker-dealers or investment advisers are only obligated to comply with the law if they or an affiliated company are required to register under the New York banking or insurance laws. The rule also contains certain exemptions, such as for companies with fewer than 10 employees.
The core of the cybersecurity rule consists of three requirements: firms must have a cybersecurity program, must maintain cybersecurity policies, and must conduct periodic risk assessments. The cybersecurity program must be based on the risk assessment and be designed to perform the following core functions:
- assess internal and external risks that may threaten the security or integrity of nonpublic information stored on the firm’s technology systems;
- use defensive infrastructure and policies to protect the firm’s technology systems, and the nonpublic information stored there, from unauthorized access, use or other malicious acts;
- detect any attempt to gain unauthorized access to, disrupt or misuse the firm’s technology systems or information stored on such systems (cybersecurity events);
- respond to cybersecurity events to mitigate negative effects;
- recover from cybersecurity events and restore normal operations and services; and
- fulfill regulatory reporting obligations.
The cybersecurity policies must be approved by the senior executive overseeing the firm’s information security or the company’s board. The cybersecurity policy shall be based on the firm’s risk assessment and address whichever of the following areas apply:
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor management;
- risk assessment; and
- incident response.
The risk assessment must consider the particular risks of the firm’s business operations, the nonpublic information it collects, and the effectiveness of its technology systems. It must be carried out in accordance with written policies and procedures and documented. The policies must include criteria for evaluating and categorizing risks facing the firm; criteria for assessing “the confidentiality, integrity, security and availability” of the firm’s technology systems and nonpublic information; and a description of how the cybersecurity program will address the risks.
The rule includes a variety of other specific requirements designed to ensure that the cybersecurity programs are much more than a written set of policies that sit on a shelf. For example, in terms of governance, the rule requires the appointment of a Chief Information Security Officer (CISO) to oversee and implement the program (although the CISO can work at an affiliate or a third-party service provider) as well as a requirement that the CISO must report to the board or senior executive responsible for the cybersecurity program at least annually.
The rule includes other specific requirements. Some, such as a requirement to limit user access privileges and periodically review such privileges, are a natural part of any effective cybersecurity program. Others are more specific. For example, if a firm does not implement “effective continues monitoring” of its cybersecurity program, it must at least conduct annual penetration testing and biannual vulnerability assessments. Audit trails have to be kept for a certain period of time (that depend upon what was being audited). The rule requires certain notices to the New York Superintendent of Financial Services, including notification of certain cybersecurity events within 72 hours.
The rule initially became effective March 1, but there is a transitional period of between 180 days and two years before firms are required to be in compliance with the various parts of the rule. The main transitional period ends Aug. 28, although the transitional period related to risk assessments and penetration testing ends March 1, 2018.
The Division of Financial Services also recently released an FAQ that addresses 18 questions, such as when an unsuccessful attack constitutes a cybersecurity event under the rule and what constitutes “continuous monitoring.”
In short, the rule is extremely detailed. Even the existence of an excellent cybersecurity program will not save a firm from having to engage with the rule and its many specific requirements. Counsel can help firms understand their obligations and design their programs.