The New York State Department of Financial Services (DFS) made headlines back in late September with a “first-in-the-nation” piece of legislation aimed at mandating specific cybersecurity protocols for banks, insurance companies, and other financial services institutions (Regulations). As the 45-day notice and public comment period recently closed, the Regulations, if adopted, will take effect January 1, 2017, and “covered entities” will have 180 days to comply. Even those companies with cybersecurity programs in place will still need plans for compliance under the new Regulations. Additionally, while New York may be the first state to issue a set of regulations of this kind, it is unlikely to be the last.
Entities Impacted by the Regulations
The proposed Regulations apply to entities meeting the definition of a “covered entity,” which includes: “any [p]erson operating under or required to operate under a license, registration, charter certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” This definition broadly encompasses not just those entities traditionally thought of — such as banks, credit unions, insurance companies, and mortgage lenders or brokers — but also third-party service providers to these regulated entities, as third parties are indirectly obligated to have similar cybersecurity policies and procedures. There are some exceptions to the definition of covered entity based upon an organization’s number of customers and gross annual revenue.
Key Implementation Requirements
The Regulations mandate a number of specific obligations that, for many companies, will require a shift in focus from ad hoc cybersecurity compliance to a methodical and well-documented program. From a 360-degree view, companies must have:
- A cybersecurity program in place that includes functions such as data mapping
- A written cybersecurity policy addressing a minimum of 14 different areas
- An information security policy for third parties who process information on the organization’s behalf
- An incident response plan
The Regulations also impose other specific procedures, such as:
- Board Involvement: Unlike any other state regulatory scheme, the Regulations mandate board-level engagement in an organization’s cybersecurity preparedness. Such engagement requires annual board review of the company’s cybersecurity policies and an annual certification approved by a “senior officer” confirming compliance. These expectations on upper-level management’s involvement align with the U.S. Department of Justice’s focus on holding individuals accountable.
- Cybersecurity Personnel: Good news if you are an experienced cybersecurity professional — the Regulations require each covered entity to designate a chief information security officer (CISO) and ensure that a “sufficient” number of cybersecurity personnel are employed to manage the risks and core functions of the program. The CISO must prepare and deliver a report to the board or its equivalent at least twice a year.
- Direct Protections on Data: At a minimum, the Regulations expect companies to: (1) maintain an audit trail, (2) limit access privileges, (3) destroy non-public information in a timely manner, (4) require multi-factor authentication for certain types of access to non-public information, and (5) encrypt all non-public information held or in transit (to the extent encryption is currently infeasible, there is a one-year grace period for encryption of data in transit and a five-year grace period to implement encryption of data at rest).
- Risk Analysis and Security Testing: The Regulations also require an annual risk analysis, annual penetration testing, and quarterly vulnerability assessments. By imposing mandatory security assessments, companies can no longer claim ignorance to risks and vulnerabilities that may affect non-public customer data maintained by third parties.
- Notification: A covered entity must notify the superintendent promptly, but no later than 72 hours, after becoming aware of a cybersecurity event that has a reasonable likelihood of materially affecting normal operation of the information system or that affects any non-public information. The organization must also notify the superintendent within 72 hours of any material risk of imminent harm related to its cybersecurity program.