On September 13, 2016, the New York State Department of Financial Services (DFS) proposed new rules that would require certain “Covered Entities” to establish and implement cybersecurity programs designed to protect nonpublic consumer information (Nonpublic Information) and technology systems from cyber-attacks (Proposed Rules). Below are some of the highlights of the Proposed Rules:
The Proposed Rules would apply to any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.”
The Proposed Rules would not apply to a Covered Entity with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (iii) less than $10,000,000 in year-end total assets.
The Proposed Rules are subject to a 45-day notice and public comment period and, if approved, would be effective beginning January 1, 2017 (Effective Date). Covered Entities would then have 180 days from the Effective Date to comply.
Covered Entities must establish a cybersecurity program designed to perform the following “core cybersecurity functions”:
- Identify internal and external cyber risks by identifying Nonpublic Information stored on the Covered Entity’s systems and how that information can be accessed
- Use defensive infrastructure and the implementation of policies and procedures to protect Nonpublic Information and the Covered Entity’s systems
- Detect certain “Cybersecurity Events”
- Respond to identified or detected Cybersecurity Events
- Recover from Cybersecurity Events
- Fulfill regulatory reporting obligations
Covered Entities must implement and maintain a written cybersecurity policy addressing the following areas:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security and monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
The cybersecurity policy must be reviewed by the Covered Entity’s board of directors, or equivalent governing body, and approved by a senior officer of the Covered Entity.
Appointment of Chief Information Officer and Other Cybersecurity Personnel
A Covered Entity must appoint a qualified individual to serve as the entity’s chief information security officer, who will be responsible for overseeing and implementing the entity’s cybersecurity program. In addition, each Covered Entity must employ cybersecurity personnel to manage the entity’s cybersecurity risks.
Penetration Testing and Vulnerability Assessments
A Covered Entity’s cybersecurity program must include annual penetration testing and quarterly vulnerability assessments.
Audit Trail System
Cybersecurity programs must include implementing and maintaining audit trail systems that track, maintain, and log certain data, including financial transactions necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.
Limiting Access Privileges and Multi-Factor Authentication
A Covered Entity’s cybersecurity program must limit access privileges to the entity’s systems that provide access to Nonpublic Information solely to those individuals who require such access. In addition, each Covered Entity must require multi-factor authentication for accessing internal systems, plus privileged access to database servers that provide access to Nonpublic Information, and for individuals accessing web applications that contain Nonpublic Information.
Annual Risk Assessments
Each Covered Entity is required to conduct an annual risk assessment of its information systems.
Each Covered Entity is required to implement written policies and procedures that are designed to ensure the security of Nonpublic Information and the Covered Entity’s information systems that are accessible to or maintained by third parties that do business with the Covered Entity.
Limitations on Data Retention and Encryption of Nonpublic Information
Each Covered Entity is required to implement policies that require the destruction of Nonpublic Information that is no longer necessary.
Employee Training and Monitoring
Each Covered Entity must implement policies, procedures, and controls that are designed to monitor user activity and detected unauthorized use. In addition, each Covered Entity must require that all personnel attend regular cybersecurity awareness training sessions.
Incident Response Plan
Each Covered Entity must implement a written incident response plan that is designed to respond immediately to a Cybersecurity Event. The plan must address at least the following areas:
- The internal processes for responding to a Cybersecurity Event
- The goals of the incident response plan
- The definition of roles, responsibilities, and decision-making authority
- External and internal communications and information sharing
- Remediation of any weaknesses in information systems and other controls
- Documentation and reporting concerning Cybersecurity Events and response activities
- The evaluation and revision of the incident response plan following a Cybersecurity Event
Notices of Cybersecurity Event to DFS Superintendent
Each Covered Entity is required to notify the DFS superintendent of any Cybersecurity Event “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The notice must be provided no later than 72 hours after the Covered Entity becomes aware of the incident.
Conclusion and Insight
While many institutions have already taken significant strides to address cybersecurity threats, if the Proposed Rules are enacted, Covered Entities will be required to go beyond what many institutions have already done. As such, Covered Entities should begin evaluating their cybersecurity programs and preparing for possible changes based on the Proposed Rules. Further, even non-Covered Entities should pay attention to the outcome of these proposals as they will likely serve as a template for other states and regulators to propose similar requirements.