On February 16, 2017, the New York Department of Financial Services (the “DFS”) released a final version (the “Final Regulation”) of its proposed regulation, previously released in an earlier revised form on December 28, 2016, that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). For more information on the previous versions of the Proposal, please see our November 2016, December 2016 and January 2017 blog posts.
Although the Final Regulation retains most of the content of the Proposal, the Final Regulation departs from the Proposal by:
- Expanding the types of entities that can qualify for an exemption from coverage by the Final Regulation (such as certain insurance companies) and identifying the sections of the Final Regulation from which such entities are exempt;
- Clarifying that the gross annual revenue calculation relating to an exemption for smaller entities is based only on the Covered Entity’s and its Affiliates’ New York business operations;
- Clarifying that the employee calculation relating to an exemption for smaller entities is based on the location of such employees of the Covered Entity or its Affiliates in New York or whether such employees are responsible for the Covered Entity’s business;
- Broadening the requirement to notify the DFS of certain Cybersecurity Events: In the Proposal, to warrant notification to the DFS, a Cybersecurity Event had to meet two conditions: (1) be a Cybersecurity Event of which notice is required to be provided to a government body, self-regulatory agency or any other supervisory body, and (2) have a reasonable likelihood of materially harming any material part of the Covered Entity’s normal operations. In the Final Regulation, if a Cybersecurity Event meets either of these conditions, the Covered Entity must notify the DFS of such Cybersecurity Event within 72 hours; and
- Relaxing the record retention requirements for audit trail records from five years to three years.
Under the Final Regulation, subject to certain exemptions, any individual, partnership, corporation, association or other entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) is required to:
- Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s information systems, which must include: information and systems security, data governance and classification, asset inventory and device management, access controls, disaster recovery plans, a Risk Assessment, vendor and third-party service provider management, and a written Incident Response Plan;
- Adopt a written Cybersecurity Policy;
- Designate a Chief Information Security Officer (“CISO”) responsible for implementing, overseeing and enforcing the cybersecurity program and policy; and
- Comply with notice and reporting requirements, which include: reporting certain Cybersecurity Events to the DFS within 72 hours, and submitting annual compliance certifications to the DFS by February 15 of each year.
The Final Regulation is effective March 1, 2017 and establishes the following four compliance deadlines:
- For requirements not specifically addressed below, the compliance deadline is September 1, 2017.
- For the requirements in sections 500.04(b) (Chief Information Security Officer report), 500.05 (penetration testing and vulnerability assessments), 500.09 (risk assessment), 500.12 (multi-factor authentication), and 500.14(b) (cybersecurity training for personnel), the compliance deadline is March 1, 2018.
- For the requirements in sections 500.06 (audit trail), 500.08 (application security), 500.13 (limitations of data retention), 500.14(a) (implementation of policies and procedures regarding monitoring), and 500.15 (encryption of nonpublic information), the compliance deadline is September 1, 2018.
- For the requirements in section 500.11 (Third Party Service Provider Security Policy), the compliance deadline is March 1, 2019.
Since there is a short period of time before the first compliance deadline of September 1, 2017, Covered Entities should start formulating a plan to comply with the Final Regulation.
- If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the DFS.
- If a Covered Entity does not qualify for an exemption, it must prepare the following documents:
- Cybersecurity Policy;
- Incident Response Plan;
- Documentation of the required Risk Assessment;
- Certification of Compliance to be submitted to the DFS (and relevant attachments);
- Annual report to be delivered by the CISO to the Covered Entity’s board of directors; and
- Third Party Service Provider Security Policy.