On December 28, 2016, the New York Department of Financial Services (the DFS) published a revised proposed cybersecurity regulation (the Revised Regulation) for further public comment. First published in September 2016, the Revised Regulation is a culmination of three years of work by the DFS to prioritize cybersecurity oversight. It is designed to promote the protection of nonpublic information as well as information technology systems of banks, insurance companies, and other financial services providers regulated by the DFS (Covered Entities).
The Revised Regulation is now proposed to become effective on March 1, 2017, and entities subject to the regulation would have 180 days from this effective date to comply, although, as discussed below, the regulation allows additional time to comply with certain requirements. The notice and public comment period ends on January 27, 2017, and the DFS is expected to finalize the regulation shortly thereafter. The DFS’s final review will focus on any comments that were not raised during the original comment process.
A number of public comments on the original proposal are addressed by the changes. The DFS rejected others. The greatest volume of changes are where the DFS has clarified that requirements are linked to the results of a Covered Entity’s risk assessment, consistent with the DFS’s stated intention to have risk-based rules. Notably, in its assessment of public comments, the DFS said that while it believes an entity should model its cybersecurity program on its cybersecurity risks, the risk assessment is not intended to permit a cost-benefit analysis of acceptable losses.
Key specific changes and additions to the Revised Regulation include:
- Cybersecurity Policy
The original proposed regulation required a Covered Entity’s cybersecurity policy to address a list of enumerated areas. The revisions clarify that a Covered Entity’s cybersecurity policy is to be based on the Covered Entity’s risk assessment and needs to include the enumerated areas set forth in the regulation only “to the extent applicable to the Covered Entity’s operations.”
- Cybersecurity Program
Under the Revised Regulation, a Covered Entity can now comply with the cybersecurity program requirements by adopting a cybersecurity program maintained by an affiliate, so long as the program covers the Covered Entity’s Information Systems and Nonpublic Information and complies with the Revised Regulation.
- Audit Trail
The original proposed regulation required every Covered Entity to maintain an audit trail system with six very specific requirements for tracking and maintaining data. More flexibility is allowed under the Revised Regulation insofar as the specified elements of the audit trail system are required only “to the extent applicable and based on [the Covered Entity’s] Risk Assessment.” In addition, the six specific requirements for tracking and maintaining data have been replaced with just three, and they are now qualified by materiality. The first is that the system be designed to reconstruct material financial transaction sufficient to support normal operations and obligations. The second is that the system include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material party of normal operations. The third is a record maintenance requirement for a period of at least five years.
- Third-Party Service Provider Security Policy
The DFS has substantially modified the requirements imposed on Covered Entities in connection with third-party service providers’ cybersecurity. First, the Revised Regulation now defines “Third Party Service Provider” to mean “a Person that (i) is not an Affiliate or the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provisions of services to the Covered Entity.” Next, the DFS has revamped the Revised Regulation’s articulation of what information must be included in the Covered Entity’s policies and procedures relating to Third-Party Service Providers. For example, the requirement that the policies and procedures include “establishing preferred provisions to be included in contracts with Third Party Service Providers” has been reworked to instead require that the policies and procedures include “relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers.” In addition to this redrafting, other requirements have been removed, such as the requirement that the policies and procedures establish preferred provisions addressing the right of the Covered Entity to perform cybersecurity audits of the Third Party Service Provider.
- Chief Information Security Officer
After commenters questioned whether the regulation would require a Covered Entity to specifically create a Chief Information Security Officer (CISO) position, the DFS reworded the section to: (1) clarify that each Covered Entity must designate a qualified individual to oversee and implement the Covered Entity’s cybersecurity program and enforce its cybersecurity policy; and (2) imply that the individual need not have the specific title of CISO. In addition, the CISO’s report to the board of directors must now be in writing, but the reporting obligation has been reduced from biannual to annual.
- Encryption of Nonpublic Information
The regulation previously required all Covered Entities to encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest. Covered Entities could utilize compensating controls in lieu of meeting the encryption requirements, but they were permitted to do so for only one year after the effective date of the regulation with respect to Nonpublic Information in transit and for five years after the effective date of the regulation with respect to Nonpublic Information at rest. The Revised Regulation has removed these deadlines for using compensating controls. Instead, now to the extent that a Covered Entity utilizes compensating controls, the CISO must review at least annually the feasibility of encryption and effectiveness of the compensating controls.
- Notices to Superintendent
The Revised Regulation no longer has a specific notice requirement for Cybersecurity Events that involve the actual or potential unauthorized tampering with, or access to or use of, Nonpublic Information. Rather, a Covered Entity must notify the DFS Superintendent within 72 hours after it determines: (1) that a Cybersecurity Event has occurred that requires notice to be provided to any other government body, self-regulatory agency, or any other supervisory body; and (2) that the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
- Transitional Periods
The regulation originally imposed a 180-day compliance deadline for nearly all of its requirements. Under the Revised Regulation, while Covered Entities still must be in general compliance with the regulation 180 days after the March 1, 2017, effective date, Covered Entities have additional time to comply with many important provisions. For instance, the implementation date is: (1) one year from the effective date for the risk assessment requirements and penetration testing and vulnerability requirements; (2) eighteen months from the effective date for the encryption of nonpublic information requirements; and (3) two years from the effective date for the third-party service provider security policy requirements.
As in the original proposed regulation, the Revised Regulation applies to “Covered Entities.” While the DFS has not changed the definition of Covered Entity, which is “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law,” the DFS has modified its limited exemption for small Covered Entities and added other exemptions. Specifically, while the small Covered Entity exemption previously required a Covered Entity to have fewer than 1,000 customers in each of the last three calendar years, it now requires a Covered Entity to have fewer than 10 employees including any independent contractors. Additionally, the DFS has created a limited exemption for a Covered Entity that “does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not directly or indirectly control, generate, receive or possess Nonpublic Information.” Further, the DFS has added a full exemption for an employee, agent, or affiliate of a Covered Entity, that is itself a Covered Entity, to the extent that such employee, agent or affiliate is covered by the cybersecurity program of the Covered Entity.
Note, however, that the Revised Regulation also requires an exempt Covered Entity to file a notice of exemption with the DFS.