Last month the New York Department of Financial Services (NYDFS) released its final rule requiring banks, insurance companies, other financial institutions, and individuals regulated by the agency to maintain a written cybersecurity program intended to protect consumers’ private data, effective March 1. The Department has also issued FAQs designed to further clarify the rule requirements.
The rule broadly defines a “covered entity” subject to it as an entity or individual licensed, organized, registered or otherwise similarly authorized under New York banking, insurance or financial services law. This not only includes financial services companies, but also professionals individually licensed, such as insurance agents and insurance brokers. However, the rule exempts employees, agents, representatives, or designees of companies that are covered entities if the individual is included in the company’s cybersecurity program.
Unique Data Security Rule Provisions and Compliance Timeline
A previous Bryan Cave Data Security Alert addressed five provisions in the proposed rule that are unique from other existing cybersecurity laws, including novel requirements in the areas of multi-factor authentication, data retention policies, application vulnerability scanning, audit trails, and account monitoring activity. (For additional background on these areas, please see the previous rule alert.) These provisions generally have remained unchanged in the final rule.
Although the rule is effective March 1, covered entities have a preliminary transitional period for general compliance with the rule ending August 28, 2017 (i.e., 180 days after the effective date). After this there are additional transitional periods for complying with aspects of the cybersecurity program rule requirements that range from one to two years. For the five unique requirements addressed in the previous alert, timing is the same as in the proposed rule, except for some aspects of the audit trail requirements. Below is a summary of the compliance timeline for each:
- Multi-Factor Authentication: Within one year, covered entities must have at least two forms of authentication before permitting someone outside of their network from accessing internal systems.
- Application Vulnerability Scanning: By September 3, 2018 (18 months after the regulation’s effective date), covered entities must develop written standards to be used in-house when developing software applications. The same timeline applies for covered entities to develop a procedure for evaluating, assessing or testing the security of any third-party applications they use as applied to their particular system.
- Data Retention Policies: The requirement that covered entities securely dispose of data no longer needed for a business purpose also must be met by September 3, 2018.
- Account Activity Monitoring: Also by September 3, 2018, covered entities must create policies, procedures and controls for monitoring the activity of internal users such as employees and external users such as customers for signs of suspicious activity that may indicate an account has been compromised.
- Audit Trails: If a covered entity’s risk assessment indicates that it must create audit trails to detect cybersecurity threats, the logs must be kept for at least three years, instead of five as in the proposal. (However, records of audit trails designed to reconstruct material financial transactions supporting the covered entity’s normal operations must be kept at least five years.) This requirement also must be met by September 3, 2018.
Beginning February 15, 2018, covered entities must submit to NYDFS their first annual certification of compliance with all requirements for which the transitional period has ended before that date using the form provided in Appendix A of the regulation. The FAQs clarify that the February 15, 2018, certification date excludes any provisions that have not yet reached the end of the transitional period by that date, including the five provisions addressed above. However, every year after February 15, 2018, a covered entity’s annual certification due February 15 must include actual compliance with all requirements applicable to the covered entity as of that certification date. The final transitional period, requiring that covered entities implement policies and procedures to ensure data security of Information Systems and Nonpublic Information accessed by third parties, requires compliance by March 1, 2019, and certification would be required by February 15, 2020.
The FAQs clarify that a covered entity may adopt, in whole or part, an affiliate’s compliant cybersecurity program. In that case, however, the covered entity is still responsible for full compliance with the rule and must make any part of an affiliate’s cybersecurity program that it relies on subject to NYDFS examination.
The final rule includes exemptions for certain insurance entities that were not in the proposed rule. Captive insurance companies doing business under Article 70 of New York Insurance Law that do not directly or indirectly control, use or possess Nonpublic Information other than such information related to their corporate parent company or affiliates do not have to develop their own cybersecurity programs. These entities do, however, have limited requirements under the rule related to conducting periodic risk assessments, having written policies for third-party service providers and data retention, and meeting NYDFS notification requirements. Companies exempt under this provision still must file a notice of exemption with NYDFS using the form provided in Appendix B of the rule by September 27, 2017 (i.e., 30 days after the general transitional period compliance deadline of August 28, 2017).
Other entities subject to New York Insurance Law that are exempt from the rule provided they do not otherwise qualify as covered entities include charitable annuity societies operating under Section 1110 and risk-retention groups doing business in New York under section 5904, along with reinsuers accredited or certified under section 125 of New York insurance regulations (11 NYCRR 125). Exempt parties under those categories do not have to file a notice of exemption with NYDFS.
Significant partial exemptions relating to companies that do not directly or indirectly control any Information Systems or access Nonpublic Information, have fewer than 10 employees, a gross annual revenue under $5,000,000, and less than $10,000,000 in year-end total assets that were included in the proposed rule remain in the final rule.
A summary of key transitional period dates, a copy of the rule, and the FAQs are available on NYDFS’ website.