The NY Department of Financial Services Cybersecurity Regulation, 23 N.Y. Comp. Code R. & Regs. § 500, provides for the protection of customer information and information technology systems of Covered Entities, in recognition of the “ever growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The Cybersecurity Regulation is nearly three years old now, but for businesses that are not fully up to speed the consequences may soon be serious in light of anticipated enforcement activity. This includes credit-reporting agencies who were not covered under the Cybersecurity Regulation as initially enacted.
While the DFS has yet to impose a fine for inadequate cybersecurity compliance, this year may mark the beginning of more vigorous enforcement. This post provides an overview of the Cybersecurity Regulation for purposes of informing Covered Entities of certain notable requirements.
As New York privacy law evolves, organizations impacted should ensure their current practices meet minimum requirements to mitigate enforcement risk going forward. Our team is prepared to assist.
What is the scope of the Cybersecurity Regulation?
Subject to certain exceptions discussed below, Covered Entities under the Cybersecurity Regulation includes financial institutions operating in New York pursuant to a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
The Cybersecurity Regulation mandates that Covered Entities protect Information Systems and Nonpublic Information from cyber-threats by developing and implementing a comprehensive and effective cybersecurity program.
Information Systems is defined to include, among other things, electronic information resources organized for the collection, processing, maintenance, use or dissemination of electronic information. Nonpublic Information is defined to mean all electronic information that is either:
(1) Business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; or
(2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
- Social security number;
- Drivers’ license number or non-driver identification card number;
- Account number, credit or debit card number;
- Any security code, access code or password that would permit access to an individual’s financial account;
- Biometric records; or
(3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
- The past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family;
- The provision of health care to any individual; or
Nonpublic Information excludes any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.
Certain Covered Entities – including those with fewer than 10 employees, less than $5,000,000 in gross annual revenue and less than $10,000,000 in year-end total assets – are exempted from compliance with some of the Cybersecurity Regulation’s requirements. To claim these exemptions, however, a company must promptly file a Notice of Exemption with DFS.
What is required under the Cybersecurity Regulation?
The Cybersecurity Regulation is notable for being much more prescriptive than the generalized “safeguards” principles in laws like the SHIELD Act. It requires that Covered Entities maintain written policies, approved by a Senior Officer or the Covered Entity’s board of directors, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. It also requires that Covered Entities maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of Information Systems. This function may be performed by an Affiliate of a Covered Entity, which includes any individual or any non-governmental entity.
It additionally provides for, among other things:
- Periodic Risk Assessments: Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program, which are to be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.
- Mandatory Annual Penetration Testing and Twice Yearly Vulnerability Assessments: The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. In the absent of continuous monitoring or other systems to detect on an ongoing basis changes in the Information Systems that may create or indicate vulnerabilities, a Covered Entity shall conduct annual Penetration Testing of its Information Systems and bi-annual vulnerability assessments.
- Maintain Audit Trails For Designated Periods: Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity for not fewer than five years; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity for not fewer than three years.
- Limit Access Privileges: As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.
- Designate a Chief Information Security Officer (“CISO”): Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (a CISO). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider (defined as a person or non-government entity that provides services to the Covered Entity and is permitted access to the Covered Entity’s Nonpublic Information).
- Have the CISO Report Annually to the Board: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.
- Security Policies Regarding Applications: Each Covered Entity shall have written procedures designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications.
- Multi-Factor Authentication: Multi-factor authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
- Encryption: Each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
- Limitations on Data Retention: Each Covered Entity shall have policies and procedures for the secure disposal on a periodic basis of certain Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
- Vendor Compliance: Each Covered Entity is required to implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to or held by Third-Party Service Providers. Among other things, a Covered Entity is required to have relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing the Third Party Service Provider’s policies and procedures for access controls, including its use of multi-factor authentication and encryption to limit access to relevant Information Systems and Nonpublic Information.
What records and reports are required?
By February 15 of each year, each Covered Entity must submit to the Superintendent of DFS a written statement covering the prior calendar year, certifying that the Covered Entity is in compliance with the Cybersecurity Regulation’s requirements. Each Covered Entity shall maintain for examination by DFS all records, schedules and data supporting this certificate for a period of five years.
How will the Cybersecurity Regulation be enforced?
DFS has several options available to enforce the Cybersecurity Regulation, including but not limited to seeking a civil penalty of up to $1,000 per violation in conjunction with other relief. In May 2019, DFS announced the formation of a Cybersecurity Division, headed by a former federal cybercrime prosecutor, to lead enforcement efforts regarding the Cybersecurity Regulation. There have been no reported fines to date but enforcement activity is anticipated.
How can we help?
- Determine applicability of the Cybersecurity Regulation to your business.
- Conduct gap assessments of your current practices against the Cybersecurity Regulation.
- Prepare and execute work plans to achieve compliance in a cost-effective and efficient manner, leveraging existing compliance efforts where possible.
- Interpret nuances in the Cybersecurity Regulation provisions, including as they relate to third-party agreements, as well as other concerns under the laws.